1 //! A simple tokio-based HTTP server which serves DNSSEC proofs in RFC 9102 format.
11 #[cfg(feature = "validation")]
14 #[cfg(any(feature = "build_server", all(feature = "tokio", feature = "validation")))]
15 use tokio_crate as tokio;
17 #[cfg(feature = "build_server")]
20 let resolver_sockaddr = std::env::var("RESOLVER")
21 .expect("Please set the RESOLVER env variable to the TCP socket of a recursive DNS resolver")
22 .parse().expect("RESOLVER was not a valid socket address");
23 let bind_addr = std::env::var("BIND")
24 .expect("Please set the BIND env variable to a socket address to listen on");
26 let listener = tokio::net::TcpListener::bind(bind_addr).await
27 .expect("Failed to bind to socket");
28 imp::run_server(listener, resolver_sockaddr).await;
31 #[cfg(any(feature = "build_server", all(feature = "tokio", feature = "validation")))]
38 use std::net::SocketAddr;
40 use tokio::net::TcpListener;
41 use tokio::io::{AsyncReadExt, AsyncWriteExt};
43 pub(super) async fn run_server(listener: TcpListener, resolver_sockaddr: SocketAddr) {
45 let (mut socket, _) = listener.accept().await.expect("Failed to accept new TCP connection");
46 tokio::spawn(async move {
47 let mut response = ("400 Bad Request", "Bad Request");
48 'ret_err: loop { // goto label
49 let mut buf = [0; 4096];
52 if buf_pos == buf.len() { response.1 = "Request Too Large"; break 'ret_err; }
53 let read_res = { socket.read(&mut buf[buf_pos..]).await };
58 for window in buf[..buf_pos].windows(2) {
59 if window == b"\r\n" { break 'read_req; }
62 Err(e) if e.kind() == std::io::ErrorKind::WouldBlock => {},
67 if let Ok(s) = std::str::from_utf8(&buf[..buf_pos]) {
68 if let Some((r, _)) = s.split_once("\r\n") {
78 let mut parts = request.split(" ");
79 let (verb, path, http_vers);
80 if let Some(v) = parts.next() { verb = v; } else { break 'ret_err; }
81 if let Some(p) = parts.next() { path = p; } else { break 'ret_err; }
82 if let Some(v) = parts.next() { http_vers = v; } else { break 'ret_err; }
83 if parts.next().is_some() { break; }
84 if verb != "GET" { break; }
85 if http_vers != "HTTP/1.1" && http_vers != "HTTP/1.0" { break 'ret_err; }
87 const PATH_PFX: &'static str = "/dnssecproof?";
88 if !path.starts_with(PATH_PFX) {
89 response = ("404 Not Found", "Not Found");
93 let (mut d, mut t) = ("", "");
94 for arg in path[PATH_PFX.len()..].split("&") {
95 if let Some((k, v)) = arg.split_once("=") {
101 } else { break 'ret_err; }
104 if d == "" || t == "" {
105 response.1 = "Missing d or t URI parameters";
108 let query_name = if let Ok(domain) = Name::try_from(d) { domain } else {
109 response.1 = "Failed to parse domain, make sure it ends with .";
112 let proof_res = match t.to_ascii_uppercase().as_str() {
113 "TXT" => build_txt_proof_async(resolver_sockaddr, &query_name).await,
114 "TLSA" => build_tlsa_proof_async(resolver_sockaddr, &query_name).await,
115 "A" => build_a_proof_async(resolver_sockaddr, &query_name).await,
116 "AAAA" => build_aaaa_proof_async(resolver_sockaddr, &query_name).await,
119 let proof = if let Ok(proof) = proof_res { proof } else {
120 response = ("404 Not Found", "Failed to generate proof for given domain");
124 let _ = socket.write_all(
125 format!("HTTP/1.1 200 OK\r\nContent-Length: {}\r\nContent-Type: application/octet-stream\r\nAccess-Control-Allow-Origin: *\r\n\r\n", proof.len()).as_bytes()
127 let _ = socket.write_all(&proof).await;
130 let _ = socket.write_all(format!(
131 "HTTP/1.1 {}\r\nContent-Length: {}\r\nContent-Type: text/plain\r\nAccess-Control-Allow-Origin: *\r\n\r\n{}",
132 response.0, response.1.len(), response.1,
139 #[cfg(all(feature = "tokio", feature = "validation", test))]
143 use crate::validation::{parse_rr_stream, verify_rr_stream};
147 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
148 async fn test_lookup() {
149 let ns = "8.8.8.8:53".parse().unwrap();
150 let listener = tokio::net::TcpListener::bind("127.0.0.1:17492").await
151 .expect("Failed to bind to socket");
152 tokio::spawn(imp::run_server(listener, ns));
153 let resp = minreq::get(
154 "http://127.0.0.1:17492/dnssecproof?d=matt.user._bitcoin-payment.mattcorallo.com.&t=tXt"
157 assert_eq!(resp.status_code, 200);
158 let rrs = parse_rr_stream(resp.as_bytes()).unwrap();
159 let verified_rrs = verify_rr_stream(&rrs).unwrap();
160 assert_eq!(verified_rrs.verified_rrs.len(), 1);
163 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
164 async fn test_lookup_a() {
165 let ns = "4.4.4.4:53".parse().unwrap();
166 let listener = tokio::net::TcpListener::bind("127.0.0.1:17493").await
167 .expect("Failed to bind to socket");
168 tokio::spawn(imp::run_server(listener, ns));
169 let resp = minreq::get(
170 "http://127.0.0.1:17493/dnssecproof?d=cloudflare.com.&t=a"
173 assert_eq!(resp.status_code, 200);
174 let rrs = parse_rr_stream(resp.as_bytes()).unwrap();
175 let verified_rrs = verify_rr_stream(&rrs).unwrap();
176 assert_eq!(verified_rrs.verified_rrs.len(), 1);
179 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
180 async fn test_lookup_tlsa() {
181 let ns = "1.1.1.1:53".parse().unwrap();
182 let listener = tokio::net::TcpListener::bind("127.0.0.1:17494").await
183 .expect("Failed to bind to socket");
184 tokio::spawn(imp::run_server(listener, ns));
185 let resp = minreq::get(
186 "http://127.0.0.1:17494/dnssecproof?d=_25._tcp.mail.as397444.net.&t=TLSA"
189 assert_eq!(resp.status_code, 200);
190 let rrs = parse_rr_stream(resp.as_bytes()).unwrap();
191 let verified_rrs = verify_rr_stream(&rrs).unwrap();
192 assert_eq!(verified_rrs.verified_rrs.len(), 1);