feature: simple support DOH server

2023-11-11 09:58:11 +08:00
parent d02bceabf1
commit ef806ecc9c
7 changed files with 219 additions and 31 deletions
--- a/etc/smartdns/smartdns.conf
+++ b/etc/smartdns/smartdns.conf
@@ -30,6 +30,8 @@
 #      tls cert file
 #   bind-cert-key-pass [password]
 #      tls private key password
 # bind-https server
 #   bind-https [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
 # option:
 #   -group: set domain request to use the appropriate server group.
 #   -no-rule-addr: skip address rule.
--- a/src/dns_client.c
+++ b/src/dns_client.c
@@ -3328,7 +3328,7 @@ static int _dns_client_send_https(struct dns_server_info *server_info, void *pac
 						"POST %s HTTP/1.1\r\n"
 						"Host: %s\r\n"
 						"User-Agent: smartdns\r\n"
-						"content-type: application/dns-message\r\n"
+						"Content-Type: application/dns-message\r\n"
 						"Content-Length: %d\r\n"
 						"\r\n",
 						https_flag->path, https_flag->httphost, len);
--- a/src/dns_conf.c
+++ b/src/dns_conf.c
@@ -2218,7 +2218,7 @@ static int _config_bind_ip(int argc, char *argv[], DNS_BIND_TYPE type)
 	bind_ip->flags = server_flag;
 	bind_ip->group = group;
 	dns_conf_bind_ip_num++;
-	if (bind_ip->type == DNS_BIND_TYPE_TLS) {
+	if (bind_ip->type == DNS_BIND_TYPE_TLS || bind_ip->type == DNS_BIND_TYPE_HTTPS) {
 		if (bind_ip->ssl_cert_file == NULL || bind_ip->ssl_cert_key_file == NULL) {
 			bind_ip->ssl_cert_file = dns_conf_bind_ca_file;
 			bind_ip->ssl_cert_key_file = dns_conf_bind_ca_key_file;
@@ -2249,6 +2249,11 @@ static int _config_bind_ip_tls(void *data, int argc, char *argv[])
 	return _config_bind_ip(argc, argv, DNS_BIND_TYPE_TLS);
 }
 static int _config_bind_ip_https(void *data, int argc, char *argv[])
 {
 	return _config_bind_ip(argc, argv, DNS_BIND_TYPE_HTTPS);
 }
 static int _config_option_parser_filepath(void *data, int argc, char *argv[])
 {
 	if (argc <= 1) {
@@ -4098,6 +4103,7 @@ static struct config_item _config_item[] = {
 	CONF_CUSTOM("bind", _config_bind_ip_udp, NULL),
 	CONF_CUSTOM("bind-tcp", _config_bind_ip_tcp, NULL),
 	CONF_CUSTOM("bind-tls", _config_bind_ip_tls, NULL),
 	CONF_CUSTOM("bind-https", _config_bind_ip_https, NULL),
 	CONF_CUSTOM("bind-cert-file", _config_option_parser_filepath, &dns_conf_bind_ca_file),
 	CONF_CUSTOM("bind-cert-key-file", _config_option_parser_filepath, &dns_conf_bind_ca_key_file),
 	CONF_STRING("bind-cert-key-pass", dns_conf_bind_ca_key_pass, DNS_MAX_PATH),
--- a/src/dns_server.c
+++ b/src/dns_server.c
@@ -27,6 +27,7 @@
 #include "dns_conf.h"
 #include "fast_ping.h"
 #include "hashtable.h"
 #include "http_parse.h"
 #include "list.h"
 #include "nftset.h"
 #include "tlog.h"
@@ -1101,7 +1102,7 @@ static void _dns_server_conn_release(struct dns_server_conn_head *conn)
 			tls_client->ssl = NULL;
 		}
 		pthread_mutex_destroy(&tls_client->ssl_lock);
-	} else if (conn->type == DNS_CONN_TYPE_TLS_SERVER) {
+	} else if (conn->type == DNS_CONN_TYPE_TLS_SERVER || conn->type == DNS_CONN_TYPE_HTTPS_SERVER) {
 		struct dns_server_conn_tls_server *tls_server = (struct dns_server_conn_tls_server *)conn;
 		if (tls_server->ssl_ctx != NULL) {
 			SSL_CTX_free(tls_server->ssl_ctx);
@@ -1141,6 +1142,71 @@ static int _dns_server_reply_tcp_to_buffer(struct dns_server_conn_tcp_client *tc
 	return 0;
 }
 static int _dns_server_reply_http_error(struct dns_server_conn_tcp_client *tcpclient, int code, const char *code_msg,
 										const char *message)
 {
 	int send_len = 0;
 	int http_len = 0;
 	unsigned char data[DNS_IN_PACKSIZE];
 	http_len = snprintf((char *)data, DNS_IN_PACKSIZE,
 						"HTTP/1.1 %d %s\r\n"
 						"\r\n"
 						"%s",
 						code, code_msg, message);
 	send_len = _dns_server_tcp_socket_send(tcpclient, data, http_len);
 	if (send_len < 0) {
 		if (errno == EAGAIN) {
 			/* save data to buffer, and retry when EPOLLOUT is available */
 			return _dns_server_reply_tcp_to_buffer(tcpclient, data, http_len);
 		}
 		return -1;
 	} else if (send_len < http_len) {
 		/* save remain data to buffer, and retry when EPOLLOUT is available */
 		return _dns_server_reply_tcp_to_buffer(tcpclient, data + send_len, http_len - send_len);
 	}
 	return 0;
 }
 static int _dns_server_reply_https(struct dns_request *request, struct dns_server_conn_tcp_client *tcpclient,
 								   void *packet, unsigned short len)
 {
 	int send_len = 0;
 	int http_len = 0;
 	unsigned char inpacket_data[DNS_IN_PACKSIZE];
 	unsigned char *inpacket = inpacket_data;
 	if (len > sizeof(inpacket_data)) {
 		tlog(TLOG_ERROR, "packet size is invalid.");
 		return -1;
 	}
 	http_len = snprintf((char *)inpacket, DNS_IN_PACKSIZE,
 						"HTTP/1.1 200 OK\r\n"
 						"content-type: application/dns-message\r\n"
 						"Content-Length: %d\r\n"
 						"\r\n",
 						len);
 	memcpy(inpacket + http_len, packet, len);
 	http_len += len;
 	send_len = _dns_server_tcp_socket_send(tcpclient, inpacket, http_len);
 	if (send_len < 0) {
 		if (errno == EAGAIN) {
 			/* save data to buffer, and retry when EPOLLOUT is available */
 			return _dns_server_reply_tcp_to_buffer(tcpclient, inpacket, http_len);
 		}
 		return -1;
 	} else if (send_len < http_len) {
 		/* save remain data to buffer, and retry when EPOLLOUT is available */
 		return _dns_server_reply_tcp_to_buffer(tcpclient, inpacket + send_len, http_len - send_len);
 	}
 	return 0;
 }
 static int _dns_server_reply_tcp(struct dns_request *request, struct dns_server_conn_tcp_client *tcpclient,
 								 void *packet, unsigned short len)
 {
@@ -1255,6 +1321,8 @@ static int _dns_reply_inpacket(struct dns_request *request, unsigned char *inpac
 		ret = _dns_server_reply_tcp(request, (struct dns_server_conn_tcp_client *)conn, inpacket, inpacket_len);
 	} else if (conn->type == DNS_CONN_TYPE_TLS_CLIENT) {
 		ret = _dns_server_reply_tcp(request, (struct dns_server_conn_tcp_client *)conn, inpacket, inpacket_len);
 	} else if (conn->type == DNS_CONN_TYPE_HTTPS_CLIENT) {
 		ret = _dns_server_reply_https(request, (struct dns_server_conn_tcp_client *)conn, inpacket, inpacket_len);
 	} else {
 		ret = -1;
 	}
@@ -6112,47 +6180,104 @@ static int _dns_server_tcp_process_one_request(struct dns_server_conn_tcp_client
 	int total_len = tcpclient->recvbuff.size;
 	int proceed_len = 0;
 	unsigned char *request_data = NULL;
-	int ret = 0;
+	int ret = RECV_ERROR_FAIL;
 	int len = 0;
 	struct http_head *http_head = NULL;
 	/* Handling multiple requests */
 	for (;;) {
-		if ((total_len - proceed_len) <= (int)sizeof(unsigned short)) {
+		ret = RECV_ERROR_FAIL;
-			ret = RECV_ERROR_AGAIN;
+		if (tcpclient->head.type == DNS_CONN_TYPE_HTTPS_CLIENT) {
-			break;
+			if ((total_len - proceed_len) <= 0) {
 				ret = RECV_ERROR_AGAIN;
 				goto out;
 			}
 			http_head = http_head_init(4096);
 			if (http_head == NULL) {
 				goto out;
 			}
 			len = http_head_parse(http_head, (char *)tcpclient->recvbuff.buf, tcpclient->recvbuff.size);
 			if (len < 0) {
 				if (len == -1) {
 					ret = 0;
 					goto out;
 				}
 				tlog(TLOG_DEBUG, "remote server not supported.");
 				goto errout;
 			}
 			if (http_head_get_method(http_head) != HTTP_METHOD_POST) {
 				tlog(TLOG_DEBUG, "remote server not supported.");
 				goto errout;
 			}
 			const char *content_type = http_head_get_fields_value(http_head, "Content-Type");
 			if (content_type == NULL ||
 				strncmp(content_type, "application/dns-message", sizeof("application/dns-message")) != 0) {
 				tlog(TLOG_DEBUG, "content type not supported, %s", content_type);
 				goto errout;
 			}
 			request_len = http_head_get_data_len(http_head);
 			if (request_len >= len) {
 				tlog(TLOG_DEBUG, "request length is invalid.");
 				goto errout;
 			}
 			request_data = (unsigned char *)http_head_get_data(http_head);
 			proceed_len += len;
 		} else {
 			if ((total_len - proceed_len) <= (int)sizeof(unsigned short)) {
 				ret = RECV_ERROR_AGAIN;
 				break;
 			}
 			/* Get record length */
 			request_data = (unsigned char *)(tcpclient->recvbuff.buf + proceed_len);
 			request_len = ntohs(*((unsigned short *)(request_data)));
 			if (request_len >= sizeof(tcpclient->recvbuff.buf)) {
 				tlog(TLOG_DEBUG, "request length is invalid.");
 				return RECV_ERROR_FAIL;
 			}
 			if (request_len > (total_len - proceed_len - sizeof(unsigned short))) {
 				ret = RECV_ERROR_AGAIN;
 				break;
 			}
 			request_data = (unsigned char *)(tcpclient->recvbuff.buf + proceed_len + sizeof(unsigned short));
 			proceed_len += sizeof(unsigned short) + request_len;
 		}
 		/* Get record length */
 		request_data = (unsigned char *)(tcpclient->recvbuff.buf + proceed_len);
 		request_len = ntohs(*((unsigned short *)(request_data)));
 		if (request_len >= sizeof(tcpclient->recvbuff.buf)) {
 			tlog(TLOG_DEBUG, "request length is invalid.");
 			return RECV_ERROR_FAIL;
 		}
 		if (request_len > (total_len - proceed_len - sizeof(unsigned short))) {
 			ret = RECV_ERROR_AGAIN;
 			break;
 		}
 		request_data = (unsigned char *)(tcpclient->recvbuff.buf + proceed_len + sizeof(unsigned short));
 		/* process one record */
 		ret = _dns_server_recv(&tcpclient->head, request_data, request_len, &tcpclient->localaddr,
 							   tcpclient->localaddr_len, &tcpclient->addr, tcpclient->addr_len);
 		if (ret != 0) {
 			return ret;
 		}
 		proceed_len += sizeof(unsigned short) + request_len;
 	}
 out:
 	if (total_len > proceed_len && proceed_len > 0) {
 		memmove(tcpclient->recvbuff.buf, tcpclient->recvbuff.buf + proceed_len, total_len - proceed_len);
 	}
 	tcpclient->recvbuff.size -= proceed_len;
 errout:
 	if (http_head) {
 		http_head_destroy(http_head);
 	}
 	if (ret == RECV_ERROR_FAIL && tcpclient->head.type == DNS_CONN_TYPE_HTTPS_CLIENT) {
 		_dns_server_reply_http_error(tcpclient, 400, "Bad Request", "Bad Request");
 	}
 	return ret;
 }
@@ -6273,7 +6398,14 @@ static int _dns_server_tls_accept(struct dns_server_conn_tls_server *tls_server,
 	memset(tls_client, 0, sizeof(*tls_client));
 	tls_client->head.fd = fd;
-	tls_client->head.type = DNS_CONN_TYPE_TLS_CLIENT;
+	if (tls_server->head.type == DNS_CONN_TYPE_TLS_SERVER) {
 		tls_client->head.type = DNS_CONN_TYPE_TLS_CLIENT;
 	} else if (tls_server->head.type == DNS_CONN_TYPE_HTTPS_SERVER) {
 		tls_client->head.type = DNS_CONN_TYPE_HTTPS_CLIENT;
 	} else {
 		tlog(TLOG_ERROR, "invalid http server type.");
 		goto errout;
 	}
 	tls_client->head.server_flags = tls_server->head.server_flags;
 	tls_client->head.dns_group = tls_server->head.dns_group;
 	tls_client->head.ipset_nftset_rule = tls_server->head.ipset_nftset_rule;
@@ -6402,10 +6534,10 @@ static int _dns_server_process(struct dns_server_conn_head *conn, struct epoll_e
 			tlog(TLOG_DEBUG, "process TCP packet from %s failed.",
 				 get_host_by_addr(name, sizeof(name), (struct sockaddr *)&tcpclient->addr));
 		}
-	} else if (conn->type == DNS_CONN_TYPE_TLS_SERVER) {
+	} else if (conn->type == DNS_CONN_TYPE_TLS_SERVER || conn->type == DNS_CONN_TYPE_HTTPS_SERVER) {
 		struct dns_server_conn_tls_server *tls_server = (struct dns_server_conn_tls_server *)conn;
 		ret = _dns_server_tls_accept(tls_server, event, now);
-	} else if (conn->type == DNS_CONN_TYPE_TLS_CLIENT) {
+	} else if (conn->type == DNS_CONN_TYPE_TLS_CLIENT || conn->type == DNS_CONN_TYPE_HTTPS_CLIENT) {
 		struct dns_server_conn_tls_client *tls_client = (struct dns_server_conn_tls_client *)conn;
 		ret = _dns_server_process_tls(tls_client, event, now);
 		if (ret != 0) {
--- a/src/http_parse.c
+++ b/src/http_parse.c
@@ -111,10 +111,10 @@ const char *http_head_get_fields_value(struct http_head *http_head, const char *
 	uint32_t key;
 	struct http_head_fields *filed;
-	key = hash_string(name);
+	key = hash_string_case(name);
 	hash_for_each_possible(http_head->field_map, filed, node, key)
 	{
-		if (strncmp(filed->name, name, 128) == 0) {
+		if (strncasecmp(filed->name, name, 128) == 0) {
 			return filed->value;
 		}
 	}
@@ -205,7 +205,7 @@ static int _http_head_add_fields(struct http_head *http_head, char *name, char *
 	fields->value = value;
 	list_add_tail(&fields->list, &http_head->field_head.list);
-	key = hash_string(name);
+	key = hash_string_case(name);
 	hash_add(http_head->field_map, &fields->node, key);
 	return 0;
--- a/src/include/hash.h
+++ b/src/include/hash.h
@@ -21,6 +21,7 @@
 #include "bitmap.h"
 #include "jhash.h"
 #include <ctype.h>
 /* Fast hashing routine for ints,  longs and pointers.
   (C) 2002 Nadia Yvette Chambers, IBM */
@@ -223,11 +224,28 @@ static inline uint32_t hash_string_initval(const char *s, uint32_t initval)
 	return h;
 }
 static inline uint32_t hash_string_case_initval(const char *s, uint32_t initval)
 {
 	uint32_t h = initval;
 	while (*s) {
 		h = h * 31 + tolower(*s);
 		s++;
 	}
 	return h;
 }
 static inline uint32_t hash_string(const char *s)
 {
 	return hash_string_initval(s, 0);
 }
 static inline uint32_t hash_string_case(const char *s)
 {
 	return hash_string_case_initval(s, 0);
 }
 static inline uint32_t hash_string_array(const char **a)
 {
 	uint32_t h = 0;
--- a/test/cases/test-bind.cc
+++ b/test/cases/test-bind.cc
@@ -56,6 +56,36 @@ cache-persist no)""");
 	EXPECT_EQ(client.GetAnswer()[0].GetData(), "1.2.3.4");
 }
 TEST(Bind, https)
 {
 	Defer
 	{
 		unlink("/tmp/smartdns-cert.pem");
 		unlink("/tmp/smartdns-key.pem");
 	};
 	smartdns::Server server_wrap;
 	smartdns::Server server;
 	server.Start(R"""(bind [::]:61053
 server https://127.0.0.1:60053 -no-check-certificate
 log-num 0
 log-console yes
 log-level debug
 cache-persist no)""");
 	server_wrap.Start(R"""(bind-https [::]:60053
 address /example.com/1.2.3.4
 log-num 0
 log-console yes
 log-level debug
 cache-persist no)""");
 	smartdns::Client client;
 	ASSERT_TRUE(client.Query("example.com", 61053));
 	ASSERT_EQ(client.GetAnswerNum(), 1);
 	EXPECT_EQ(client.GetStatus(), "NOERROR");
 	EXPECT_EQ(client.GetAnswer()[0].GetData(), "1.2.3.4");
 }
 TEST(Bind, udp_tcp)
 {
 	smartdns::MockServer server_upstream;