Add TLSA support to DNSSEC fetching

5 files changed, 134 insertions, 6 deletions

diff --git a/src/net/CMakeLists.txt b/src/net/CMakeLists.txt
index afcd42ef7..e93e27bcd 100644
--- a/src/net/CMakeLists.txt
+++ b/src/net/CMakeLists.txt
@@ -26,10 +26,10 @@
 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-set(net_sources dandelionpp.cpp error.cpp http.cpp i2p_address.cpp parse.cpp socks.cpp
-    socks_connect.cpp tor_address.cpp zmq.cpp)
-set(net_headers dandelionpp.h error.h http.cpp i2p_address.h parse.h socks.h socks_connect.h
-    tor_address.h zmq.h)
+set(net_sources dandelionpp.cpp error.cpp http.cpp i2p_address.cpp parse.cpp resolve.cpp
+    socks.cpp socks_connect.cpp tor_address.cpp zmq.cpp)
+set(net_headers dandelionpp.h error.h http.cpp i2p_address.h parse.h socks.h resolve.h
+    socks_connect.h tor_address.h zmq.h)
 
 monero_add_library(net ${net_sources} ${net_headers})
 target_link_libraries(net common epee ${ZMQ_LIB} ${Boost_ASIO_LIBRARY})
diff --git a/src/net/error.cpp b/src/net/error.cpp
index 037f44d52..d2e713bc5 100644
--- a/src/net/error.cpp
+++ b/src/net/error.cpp
@@ -47,12 +47,18 @@ namespace
         {
             switch (net::error(value))
             {
+            case net::error::bogus_dnssec:
+                return "Invalid response signature from DNSSEC enabled domain";
+            case net::error::dns_query_failure:
+                return "Failed to retrieve desired DNS record";
             case net::error::expected_tld:
                 return "Expected top-level domain";
             case net::error::invalid_host:
                 return "Host value is not valid";
             case net::error::invalid_i2p_address:
                 return "Invalid I2P address";
+            case net::error::invalid_mask:
+                return "CIDR netmask outside of 0-32 range";
             case net::error::invalid_port:
                 return "Invalid port value (expected 0-65535)";
             case net::error::invalid_tor_address:
@@ -71,6 +77,7 @@ namespace
             switch (net::error(value))
             {
             case net::error::invalid_port:
+            case net::error::invalid_mask:
                 return std::errc::result_out_of_range;
             case net::error::expected_tld:
             case net::error::invalid_tor_address:
diff --git a/src/net/error.h b/src/net/error.h
index 7c852dd20..746eb0ecb 100644
--- a/src/net/error.h
+++ b/src/net/error.h
@@ -37,13 +37,16 @@ namespace net
     enum class error : int
     {
         // 0 reserved for success (as per expect<T>)
-        expected_tld = 1,   //!< Expected a tld
+        bogus_dnssec = 1,   //!< Invalid response signature from DNSSEC enabled domain
+        dns_query_failure,  //!< Failed to retrieve desired DNS record
+        expected_tld,       //!< Expected a tld
         invalid_host,       //!< Hostname is not valid
         invalid_i2p_address,
+        invalid_mask,       //!< Outside of 0-32 range
         invalid_port,       //!< Outside of 0-65535 range
         invalid_tor_address,//!< Invalid base32 or length
         unsupported_address,//!< Type not supported by `get_network_address`
-        invalid_mask,       //!< Outside of 0-32 range
+
     };
 
     //! \return `std::error_category` for `net` namespace.
diff --git a/src/net/resolve.cpp b/src/net/resolve.cpp
new file mode 100644
index 000000000..1b43cf6c4
--- /dev/null
+++ b/src/net/resolve.cpp
@@ -0,0 +1,71 @@
+// Copyright (c) 2020, The Monero Project
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "net/resolve.h"
+
+#include <boost/utility/string_ref.hpp>
+#include "common/dns_utils.h"
+#include "common/expect.h"
+#include "net/error.h"
+
+namespace net
+{
+namespace dnssec
+{
+  expect<service_response> resolve_hostname(const std::string& addr, const std::string& tlsa_port)
+  {
+    // use basic (blocking) unbound for now, possibly refactor later
+    tools::DNSResolver& resolver = tools::DNSResolver::instance();
+
+    bool dnssec_available = false;
+    bool dnssec_valid = false;
+    std::vector<std::string> ip_records = resolver.get_ipv4(addr, dnssec_available, dnssec_valid);
+
+    if (dnssec_available && !dnssec_valid)
+      return {net::error::bogus_dnssec};
+
+    if (ip_records.empty())
+    {
+      ip_records = resolver.get_ipv6(addr, dnssec_available, dnssec_valid);
+      if (dnssec_available && !dnssec_valid)
+        return {net::error::bogus_dnssec};
+      if (ip_records.empty())
+        return {net::error::dns_query_failure};
+    }
+
+    std::vector<std::string> tlsa{};
+    if (dnssec_available && !tlsa_port.empty())
+    {
+      tlsa = resolver.get_tlsa_tcp_record(addr, tlsa_port, dnssec_available, dnssec_valid);
+      if (!dnssec_valid)
+        return {net::error::bogus_dnssec};
+    }
+    return {{std::move(ip_records), std::move(tlsa)}};
+  }
+} // dnssec
+} // net
diff --git a/src/net/resolve.h b/src/net/resolve.h
new file mode 100644
index 000000000..46bd8e617
--- /dev/null
+++ b/src/net/resolve.h
@@ -0,0 +1,47 @@
+// Copyright (c) 2020, The Monero Project
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include <string>
+#include <vector>
+
+template<typename> class expect;
+
+namespace net
+{
+namespace dnssec
+{
+  struct service_response
+  {
+    std::vector<std::string> ip;   //!< IPv4/6 records in dotted or semicolon notation
+    std::vector<std::string> tlsa; //!< DANE/TLSA records
+  };
+
+  //! \return IP + (optionally) DANE/TLSA records, failing if DNSSEC signature is "bogus"
+  expect<service_response> resolve_hostname(const std::string& addr, const std::string& tlsa_port = {});
+} // dnssec
+} // net