dan9i10/amnezia-client
1
0
Fork 0
mirror of https://github.com/amnezia-vpn/amnezia-client.git synced 2026-05-08 14:33:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

dns/http separation

Browse Source
This commit is contained in:
svamnezia
2026-04-28 17:51:59 +03:00
parent eb1188ccd7
commit 4f8e1da751
23 changed files with 2304 additions and 2609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
client/CMakeLists.txt
View File

@@ -44,6 +44,10 @@ add_definitions(-DAGW_DNS_DOH_PATH="$ENV{AGW_DNS_DOH_PATH}")
add_definitions(-DAGW_DNS_RETRY_COUNT="$ENV{AGW_DNS_RETRY_COUNT}")
add_definitions(-DAGW_DNS_TIMEOUT_MS="$ENV{AGW_DNS_TIMEOUT_MS}")
if(DEFINED ENV{AGW_INSECURE_SSL} AND NOT "$ENV{AGW_INSECURE_SSL}" STREQUAL "" AND NOT "$ENV{AGW_INSECURE_SSL}" STREQUAL "0")
add_definitions(-DAGW_INSECURE_SSL=1)
endif()
if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
set(PACKAGES ${PACKAGES} Widgets)
endif()

11
client/cmake/sources.cmake
View File

@@ -23,6 +23,12 @@ set(HEADERS ${HEADERS}
${CMAKE_CURRENT_BINARY_DIR}/version.h
${CLIENT_ROOT_DIR}/core/sshclient.h
${CLIENT_ROOT_DIR}/core/networkUtilities.h
${CLIENT_ROOT_DIR}/core/transport/igatewaytransport.h
${CLIENT_ROOT_DIR}/core/transport/httpGatewayTransport.h
${CLIENT_ROOT_DIR}/core/transport/dnsGatewayTransport.h
${CLIENT_ROOT_DIR}/core/transport/dns/dnsResolver.h
${CLIENT_ROOT_DIR}/core/transport/dns/dnsTunnel.h
${CLIENT_ROOT_DIR}/core/transport/dns/dnsPacket_p.h
${CLIENT_ROOT_DIR}/core/serialization/serialization.h
${CLIENT_ROOT_DIR}/core/serialization/transfer.h
${CLIENT_ROOT_DIR}/../common/logger/logger.h
@@ -68,6 +74,11 @@ set(SOURCES ${SOURCES}
${CLIENT_ROOT_DIR}/protocols/vpnprotocol.cpp
${CLIENT_ROOT_DIR}/core/sshclient.cpp
${CLIENT_ROOT_DIR}/core/networkUtilities.cpp
${CLIENT_ROOT_DIR}/core/transport/httpGatewayTransport.cpp
${CLIENT_ROOT_DIR}/core/transport/dnsGatewayTransport.cpp
${CLIENT_ROOT_DIR}/core/transport/dns/dnsResolver.cpp
${CLIENT_ROOT_DIR}/core/transport/dns/dnsTunnel.cpp
${CLIENT_ROOT_DIR}/core/transport/dns/dnsPacket.cpp
${CLIENT_ROOT_DIR}/core/serialization/outbound.cpp
${CLIENT_ROOT_DIR}/core/serialization/inbound.cpp
${CLIENT_ROOT_DIR}/core/serialization/ss.cpp

1196
client/core/controllers/gatewayController.cpp
View File

File diff suppressed because it is too large Load Diff

100
client/core/controllers/gatewayController.h
View File

@@ -4,42 +4,37 @@
#include <QFuture>
#include <QJsonArray>
#include <QJsonObject>
#include <QNetworkReply>
#include <QMutex>
#include <QObject>
#include <QPair>
#include <QPromise>
#include <QSharedPointer>
#include <memory>
#include "core/defs.h"
#include "core/networkUtilities.h"
#include "core/transport/dns/dnsResolver.h"
#include "core/transport/igatewaytransport.h"
#ifdef Q_OS_IOS
#include "platforms/ios/ios_controller.h"
#endif
// NEW: Configuration for a single DNS transport (each can have its own server/domain)
struct DnsTransportEntry {
NetworkUtilities::DnsTransport type = NetworkUtilities::DnsTransport::Udp;
QString server; // DNS server IP
QString domain; // Base domain for tunneling
struct DnsTransportEntry
{
amnezia::transport::dns::DnsProtocol type = amnezia::transport::dns::DnsProtocol::Udp;
QString server;
QString domain;
quint16 port = 15353;
QString dohPath = "/dns-query";
bool isValid() const { return !server.isEmpty() && !domain.isEmpty(); }
};
// NEW: Primary transport type
enum class PrimaryTransport { Http, DnsUdp, DnsTcp, DnsDot, DnsDoh, DnsDoq };
// NEW: Full transports configuration
struct TransportsConfig {
struct TransportsConfig
{
PrimaryTransport primary = PrimaryTransport::Http;
bool httpEnabled = true;
QString httpEndpoint;
QList<DnsTransportEntry> dnsTransports;
int retryCount = 3;
int timeoutMs = 10000;
bool isValid() const { return httpEnabled || !dnsTransports.isEmpty(); }
static TransportsConfig fromJson(const QJsonObject &json);
};
@@ -49,76 +44,45 @@ class GatewayController : public QObject
Q_OBJECT
public:
explicit GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
const bool isStrictKillSwitchEnabled, QObject *parent = nullptr);
explicit GatewayController(const QString &gatewayEndpoint,
const bool isDevEnvironment,
const int requestTimeoutMsecs,
const bool isStrictKillSwitchEnabled,
QObject *parent = nullptr);
amnezia::ErrorCode post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
QFuture<QPair<amnezia::ErrorCode, QByteArray>> postAsync(const QString &endpoint, const QJsonObject apiPayload);
// DNS transport settings
void setDnsServer(const QString &dnsServer, const QString &baseDomain, NetworkUtilities::DnsTransport transport,
quint16 port, const QString &dohEndpoint = "/dns-query");
// DNS tunneling - send request via DNS transport
amnezia::ErrorCode postViaDns(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
static TransportsConfig buildTransportsConfig();
void setTransportsConfig(const TransportsConfig &config);
// NEW: Parallel request via all configured transports (primary first, then others)
amnezia::ErrorCode postParallel(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
private:
struct EncryptedRequestData
struct EncryptedRequest
{
QNetworkRequest request;
QByteArray requestBody;
QByteArray body;
QByteArray key;
QByteArray iv;
QByteArray salt;
amnezia::ErrorCode errorCode;
amnezia::ErrorCode errorCode = amnezia::ErrorCode::NoError;
};
struct DecryptionResult
{
QByteArray decryptedBody;
bool isDecryptionSuccessful;
};
EncryptedRequest encryptRequest(const QJsonObject &apiPayload);
amnezia::transport::DecryptionResult decryptResponse(const QByteArray &encryptedResponseBody,
const QByteArray &key,
const QByteArray &iv,
const QByteArray &salt) const;
EncryptedRequestData prepareRequest(const QString &endpoint, const QJsonObject &apiPayload, bool skipDnsResolve = false);
DecryptionResult tryDecryptResponseBody(const QByteArray &encryptedResponseBody, QNetworkReply::NetworkError replyError,
const QByteArray &key, const QByteArray &iv, const QByteArray &salt);
QString resolveGatewayHostname(const QString &hostname);
QStringList getProxyUrls(const QString &serviceType, const QString &userCountryCode);
bool shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody, bool isDecryptionSuccessful);
void bypassProxy(const QString &endpoint, const QString &serviceType, const QString &userCountryCode,
std::function<QNetworkReply *(const QString &url)> requestFunction,
std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction);
void getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
std::function<void(const QStringList &)> onComplete);
void getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex, std::function<void(const QString &)> onComplete);
void bypassProxyAsync(
const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
std::function<void(const QByteArray &, bool, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete);
std::shared_ptr<amnezia::transport::IGatewayTransport> currentTransport() const;
static std::shared_ptr<amnezia::transport::IGatewayTransport> buildTransport(
const TransportsConfig &config, int requestTimeoutMsecs, bool isDevEnvironment, bool isStrictKillSwitchEnabled);
int m_requestTimeoutMsecs;
QString m_gatewayEndpoint;
bool m_isDevEnvironment = false;
bool m_isStrictKillSwitchEnabled = false;
// DNS transport settings (for individual transport)
QString m_dnsServer;
QString m_dnsBaseDomain;
NetworkUtilities::DnsTransport m_dnsTransport = NetworkUtilities::DnsTransport::Udp;
quint16 m_dnsPort = 15353;
QString m_dohEndpoint = "/dns-query";
// NEW: Full transports configuration
TransportsConfig m_transportsConfig;
inline static QString m_proxyUrl;
mutable QMutex m_transportMutex;
std::shared_ptr<amnezia::transport::IGatewayTransport> m_transport;
};
#endif // GATEWAYCONTROLLER_H

1445
client/core/networkUtilities.cpp
View File

File diff suppressed because it is too large Load Diff

28
client/core/networkUtilities.h
View File

@@ -31,34 +31,6 @@ public:
static QString netMaskFromIpWithSubnet(const QString ip);
static QString ipAddressFromIpWithSubnet(const QString ip);
static QStringList summarizeRoutes(const QStringList &ips, const QString cidr);
// DNS resolution methods
enum class DnsTransport { Udp, Tcp, Tls, Https, Quic };
static QString resolveDns(const QString &hostname, const QString &dnsServer, DnsTransport transport,
quint16 port, int timeoutMsecs = 3000, const QString &dohEndpoint = "/dns-query");
static QString resolveDnsOverUdp(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
static QString resolveDnsOverTcp(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
static QString resolveDnsOverTls(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
static QString resolveDnsOverHttps(const QString &hostname, const QString &dnsServer, const QString &endpoint, int timeoutMsecs = 3000);
static QString resolveDnsOverQuic(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
// DNS tunneling - send/receive data via DNS TXT records
static QByteArray sendViaDnsTunnel(const QByteArray &payload, const QString &endpoint, const QString &baseDomain,
const QString &dnsServer, DnsTransport transport, quint16 port,
int timeoutMsecs = 30000, const QString &dohEndpoint = "/dns-query");
static QByteArray sendViaDnsTunnelUdp(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
static QByteArray sendViaDnsTunnelTcp(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
static QByteArray sendViaDnsTunnelTls(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
static QByteArray sendViaDnsTunnelHttps(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, const QString &endpoint, int timeoutMsecs);
// Chunked UDP - for large responses
static QByteArray sendViaDnsTunnelUdpChunked(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
};
#endif // NETWORKUTILITIES_H

153
client/core/transport/dns/dnsPacket.cpp Normal file
View File

@@ -0,0 +1,153 @@
#include "dnsPacket_p.h"
#include <QHostInfo>
#include <cstring>
namespace amnezia::transport::dns::detail
{
QHostAddress resolveHostAddress(const QString &host)
{
QHostAddress addr(host);
if (!addr.isNull()) return addr;
QHostInfo info = QHostInfo::fromName(host);
if (!info.addresses().isEmpty()) return info.addresses().first();
return QHostAddress();
}
QByteArray encodeDnsName(const QString &hostname)
{
QByteArray result;
const QStringList parts = hostname.split('.');
for (const QString &part : parts) {
if (part.length() > 63) {
return QByteArray();
}
result.append(static_cast<char>(part.length()));
result.append(part.toUtf8());
}
result.append(static_cast<char>(0));
return result;
}
QByteArray buildDnsQuery(const QString &hostname, quint16 transactionId)
{
QByteArray packet;
DnsHeader header;
header.id = qToBigEndian(transactionId);
header.flags = qToBigEndian<quint16>(0x0100);
header.qdcount = qToBigEndian<quint16>(1);
header.ancount = 0;
header.nscount = 0;
header.arcount = 0;
packet.append(reinterpret_cast<const char *>(&header), sizeof(DnsHeader));
const QByteArray qname = encodeDnsName(hostname);
if (qname.isEmpty()) {
return QByteArray();
}
packet.append(qname);
quint16 qtype = qToBigEndian<quint16>(DNS_TYPE_A);
packet.append(reinterpret_cast<const char *>(&qtype), sizeof(quint16));
quint16 qclass = qToBigEndian<quint16>(DNS_CLASS_IN);
packet.append(reinterpret_cast<const char *>(&qclass), sizeof(quint16));
return packet;
}
QString parseDnsResponse(const QByteArray &response, bool isTcp)
{
if (response.size() < static_cast<int>(sizeof(DnsHeader))) {
return QString();
}
int offset = isTcp ? 2 : 0;
if (response.size() < offset + static_cast<int>(sizeof(DnsHeader))) {
return QString();
}
DnsHeader header;
std::memcpy(&header, response.constData() + offset, sizeof(DnsHeader));
offset += sizeof(DnsHeader);
const quint16 flags = qFromBigEndian(header.flags);
const quint16 ancount = qFromBigEndian(header.ancount);
if ((flags & 0x8000) == 0 || (flags & 0x000F) != 0) {
return QString();
}
if (ancount == 0) {
return QString();
}
while (offset < response.size() && response.at(offset) != 0) {
const quint8 length = static_cast<quint8>(response.at(offset));
if (length > 63) {
return QString();
}
offset += length + 1;
}
if (offset >= response.size()) {
return QString();
}
offset++;
offset += 4;
for (int i = 0; i < ancount && offset < response.size(); ++i) {
if (offset >= response.size()) {
break;
}
const quint8 nameByte = static_cast<quint8>(response.at(offset));
if ((nameByte & 0xC0) == 0xC0) {
offset += 2;
} else {
while (offset < response.size() && response.at(offset) != 0) {
const quint8 length = static_cast<quint8>(response.at(offset));
if (length > 63) {
return QString();
}
offset += length + 1;
}
offset++;
}
if (offset + 10 > response.size()) {
break;
}
const quint16 type =
qFromBigEndian<quint16>(*reinterpret_cast<const quint16 *>(response.constData() + offset));
offset += 2;
offset += 2;
offset += 4;
const quint16 rdlength =
qFromBigEndian<quint16>(*reinterpret_cast<const quint16 *>(response.constData() + offset));
offset += 2;
if (type == DNS_TYPE_A && rdlength == 4) {
if (offset + 4 > response.size()) {
break;
}
QHostAddress ip;
ip.setAddress(
qFromBigEndian<quint32>(*reinterpret_cast<const quint32 *>(response.constData() + offset)));
return ip.toString();
}
offset += rdlength;
}
return QString();
}
} // namespace amnezia::transport::dns::detail

38
client/core/transport/dns/dnsPacket_p.h Normal file
View File

@@ -0,0 +1,38 @@
#ifndef DNSPACKET_P_H
#define DNSPACKET_P_H
#include <QByteArray>
#include <QHostAddress>
#include <QString>
#include <QtEndian>
namespace amnezia::transport::dns::detail
{
constexpr quint16 DNS_PORT = 53;
constexpr quint16 DNS_TYPE_A = 1;
constexpr quint16 DNS_CLASS_IN = 1;
#pragma pack(push, 1)
struct DnsHeader
{
quint16 id;
quint16 flags;
quint16 qdcount;
quint16 ancount;
quint16 nscount;
quint16 arcount;
};
#pragma pack(pop)
QHostAddress resolveHostAddress(const QString &host);
QByteArray encodeDnsName(const QString &hostname);
QByteArray buildDnsQuery(const QString &hostname, quint16 transactionId);
QString parseDnsResponse(const QByteArray &response, bool isTcp);
} // namespace amnezia::transport::dns::detail
#endif // DNSPACKET_P_H

354
client/core/transport/dns/dnsResolver.cpp Normal file
View File

@@ -0,0 +1,354 @@
#include "dnsResolver.h"
#include "dnsPacket_p.h"
#include <QDateTime>
#include <QEventLoop>
#include <QHostAddress>
#include <QNetworkAccessManager>
#include <QNetworkDatagram>
#include <QNetworkReply>
#include <QNetworkRequest>
#include <QSslSocket>
#include <QTcpSocket>
#include <QTimer>
#include <QUdpSocket>
#include <QUrl>
namespace amnezia::transport::dns::DnsResolver
{
using detail::buildDnsQuery;
using detail::parseDnsResponse;
using detail::resolveHostAddress;
QString resolve(const QString &hostname,
const QString &dnsServer,
DnsProtocol protocol,
quint16 port,
int timeoutMsecs,
const QString &dohEndpoint)
{
switch (protocol) {
case DnsProtocol::Udp:
return resolveOverUdp(hostname, dnsServer, port, timeoutMsecs);
case DnsProtocol::Tcp:
return resolveOverTcp(hostname, dnsServer, port, timeoutMsecs);
case DnsProtocol::Tls:
return resolveOverTls(hostname, dnsServer, port, timeoutMsecs);
case DnsProtocol::Https:
return resolveOverHttps(hostname, dnsServer, dohEndpoint, timeoutMsecs);
case DnsProtocol::Quic:
return resolveOverQuic(hostname, dnsServer, port, timeoutMsecs);
}
return QString();
}
QString resolveOverUdp(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs)
{
QUdpSocket socket;
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsQuery(hostname, transactionId);
if (query.isEmpty()) {
return QString();
}
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
return QString();
}
const qint64 bytesWritten = socket.writeDatagram(query, dnsAddress, port);
if (bytesWritten != query.size()) {
return QString();
}
QEventLoop loop;
QTimer timer;
timer.setSingleShot(true);
timer.setInterval(timeoutMsecs);
QByteArray response;
bool responseReceived = false;
QObject::connect(&timer, &QTimer::timeout, &loop, &QEventLoop::quit);
QObject::connect(&socket, &QUdpSocket::readyRead, [&]() {
while (socket.hasPendingDatagrams()) {
QNetworkDatagram datagram = socket.receiveDatagram();
if (datagram.isValid()) {
response = datagram.data();
responseReceived = true;
loop.quit();
}
}
});
timer.start();
loop.exec();
timer.stop();
if (!responseReceived || response.isEmpty()) {
return QString();
}
return parseDnsResponse(response, false);
}
QString resolveOverTcp(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs)
{
QTcpSocket socket;
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
return QString();
}
socket.connectToHost(dnsAddress, port);
if (!socket.waitForConnected(timeoutMsecs)) {
return QString();
}
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsQuery(hostname, transactionId);
if (query.isEmpty()) {
socket.close();
return QString();
}
quint16 length = qToBigEndian<quint16>(static_cast<quint16>(query.size()));
QByteArray tcpQuery;
tcpQuery.append(reinterpret_cast<const char *>(&length), sizeof(quint16));
tcpQuery.append(query);
const qint64 bytesWritten = socket.write(tcpQuery);
if (bytesWritten != tcpQuery.size() || !socket.waitForBytesWritten(timeoutMsecs)) {
socket.close();
return QString();
}
QEventLoop loop;
QTimer timer;
timer.setSingleShot(true);
timer.setInterval(timeoutMsecs);
QByteArray response;
bool responseReceived = false;
QObject::connect(&timer, &QTimer::timeout, &loop, &QEventLoop::quit);
QObject::connect(&socket, &QTcpSocket::readyRead, [&]() {
if (socket.bytesAvailable() >= 2 && response.isEmpty()) {
QByteArray lengthBytes = socket.read(2);
if (lengthBytes.size() == 2) {
const quint16 responseLength =
qFromBigEndian<quint16>(*reinterpret_cast<const quint16 *>(lengthBytes.constData()));
while (socket.bytesAvailable() < responseLength) {
if (!socket.waitForReadyRead(timeoutMsecs / 2)) {
break;
}
}
if (socket.bytesAvailable() >= responseLength) {
response = socket.read(responseLength);
responseReceived = true;
loop.quit();
}
}
}
});
timer.start();
loop.exec();
timer.stop();
socket.close();
if (!responseReceived || response.isEmpty()) {
return QString();
}
return parseDnsResponse(response, true);
}
QString resolveOverTls(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs)
{
QSslSocket socket;
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
return QString();
}
socket.setPeerVerifyMode(QSslSocket::QueryPeer);
socket.connectToHostEncrypted(dnsAddress.toString(), port);
if (!socket.waitForConnected(timeoutMsecs)) {
return QString();
}
if (!socket.waitForEncrypted(timeoutMsecs)) {
socket.close();
return QString();
}
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsQuery(hostname, transactionId);
if (query.isEmpty()) {
socket.close();
return QString();
}
quint16 length = qToBigEndian<quint16>(static_cast<quint16>(query.size()));
QByteArray tlsQuery;
tlsQuery.append(reinterpret_cast<const char *>(&length), sizeof(quint16));
tlsQuery.append(query);
const qint64 bytesWritten = socket.write(tlsQuery);
if (bytesWritten != tlsQuery.size() || !socket.waitForBytesWritten(timeoutMsecs)) {
socket.close();
return QString();
}
QEventLoop loop;
QTimer timer;
timer.setSingleShot(true);
timer.setInterval(timeoutMsecs);
QByteArray response;
bool responseReceived = false;
QObject::connect(&timer, &QTimer::timeout, &loop, &QEventLoop::quit);
QObject::connect(&socket, &QSslSocket::readyRead, [&]() {
if (socket.bytesAvailable() >= 2 && response.isEmpty()) {
QByteArray lengthBytes = socket.read(2);
if (lengthBytes.size() == 2) {
const quint16 responseLength =
qFromBigEndian<quint16>(*reinterpret_cast<const quint16 *>(lengthBytes.constData()));
while (socket.bytesAvailable() < responseLength) {
if (!socket.waitForReadyRead(timeoutMsecs / 2)) {
break;
}
}
if (socket.bytesAvailable() >= responseLength) {
response = socket.read(responseLength);
responseReceived = true;
loop.quit();
}
}
}
});
timer.start();
loop.exec();
timer.stop();
socket.close();
if (!responseReceived || response.isEmpty()) {
return QString();
}
return parseDnsResponse(response, true);
}
QString resolveOverHttps(const QString &hostname, const QString &dnsServer, const QString &endpoint, int timeoutMsecs)
{
const QString dohUrl = QStringLiteral("https://%1%2").arg(dnsServer, endpoint);
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsQuery(hostname, transactionId);
if (query.isEmpty()) {
return QString();
}
QNetworkRequest request;
request.setUrl(QUrl(dohUrl));
request.setHeader(QNetworkRequest::ContentTypeHeader, "application/dns-message");
request.setRawHeader("Accept", "application/dns-message");
request.setTransferTimeout(timeoutMsecs);
QNetworkAccessManager nam;
QNetworkReply *reply = nam.post(request, query);
QEventLoop loop;
QTimer timer;
timer.setSingleShot(true);
timer.setInterval(timeoutMsecs);
QByteArray response;
bool responseReceived = false;
QObject::connect(&timer, &QTimer::timeout, &loop, &QEventLoop::quit);
QObject::connect(reply, &QNetworkReply::finished, [&]() {
if (reply->error() == QNetworkReply::NoError) {
response = reply->readAll();
responseReceived = true;
}
loop.quit();
});
timer.start();
loop.exec();
timer.stop();
reply->deleteLater();
if (!responseReceived || response.isEmpty()) {
return QString();
}
return parseDnsResponse(response, false);
}
QString resolveOverQuic(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs)
{
// QUIC требует специальной библиотеки — пока используем UDP fallback
QUdpSocket socket;
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
return QString();
}
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsQuery(hostname, transactionId);
if (query.isEmpty()) {
return QString();
}
const qint64 bytesWritten = socket.writeDatagram(query, dnsAddress, port);
if (bytesWritten != query.size()) {
return QString();
}
QEventLoop loop;
QTimer timer;
timer.setSingleShot(true);
timer.setInterval(timeoutMsecs);
QByteArray response;
bool responseReceived = false;
QObject::connect(&timer, &QTimer::timeout, &loop, &QEventLoop::quit);
QObject::connect(&socket, &QUdpSocket::readyRead, [&]() {
while (socket.hasPendingDatagrams()) {
QNetworkDatagram datagram = socket.receiveDatagram();
if (datagram.isValid()) {
response = datagram.data();
responseReceived = true;
loop.quit();
}
}
});
timer.start();
loop.exec();
timer.stop();
if (!responseReceived || response.isEmpty()) {
return QString();
}
return parseDnsResponse(response, false);
}
} // namespace amnezia::transport::dns::DnsResolver

29
client/core/transport/dns/dnsResolver.h Normal file
View File

@@ -0,0 +1,29 @@
#ifndef DNSRESOLVER_H
#define DNSRESOLVER_H
#include <QString>
namespace amnezia::transport::dns
{
enum class DnsProtocol { Udp, Tcp, Tls, Https, Quic };
namespace DnsResolver
{
QString resolve(const QString &hostname,
const QString &dnsServer,
DnsProtocol protocol,
quint16 port,
int timeoutMsecs = 3000,
const QString &dohEndpoint = QStringLiteral("/dns-query"));
QString resolveOverUdp(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
QString resolveOverTcp(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
QString resolveOverTls(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
QString resolveOverHttps(const QString &hostname, const QString &dnsServer, const QString &endpoint, int timeoutMsecs = 3000);
QString resolveOverQuic(const QString &hostname, const QString &dnsServer, quint16 port, int timeoutMsecs = 3000);
} // namespace DnsResolver
} // namespace amnezia::transport::dns
#endif // DNSRESOLVER_H

822
client/core/transport/dns/dnsTunnel.cpp Normal file
View File

@@ -0,0 +1,822 @@
#include "dnsTunnel.h"
#include "dnsPacket_p.h"
#include <QDateTime>
#include <QDebug>
#include <QElapsedTimer>
#include <QEventLoop>
#include <QHostAddress>
#include <QList>
#include <QMap>
#include <QNetworkAccessManager>
#include <QNetworkDatagram>
#include <QNetworkReply>
#include <QNetworkRequest>
#include <QSharedPointer>
#include <QSslError>
#include <QSslSocket>
#include <QStringList>
#include <QTcpSocket>
#include <QThread>
#include <QTimer>
#include <QUdpSocket>
#include <QUrl>
namespace amnezia::transport::dns::DnsTunnel
{
using detail::resolveHostAddress;
namespace
{
constexpr quint16 EDNS0_PAYLOAD_OPTION_CODE = 65001;
constexpr quint16 EDNS0_CHUNK_REQUEST_CODE = 65002;
constexpr quint16 EDNS0_CHUNK_RESPONSE_CODE = 65003;
struct ChunkMeta
{
QByteArray chunkId;
quint16 totalChunks = 0;
quint16 chunkIndex = 0;
quint32 totalSize = 0;
};
void appendUint16BE(QByteArray &data, quint16 value)
{
data.append(static_cast<char>((value >> 8) & 0xFF));
data.append(static_cast<char>(value & 0xFF));
}
QByteArray buildDnsChunkRequest(const QString &queryName, quint16 transactionId,
const QByteArray &chunkId, quint16 chunkIndex)
{
QByteArray query;
appendUint16BE(query, transactionId);
appendUint16BE(query, 0x0100);
appendUint16BE(query, 1);
appendUint16BE(query, 0);
appendUint16BE(query, 0);
appendUint16BE(query, 1);
const QStringList labels = queryName.split('.');
for (const QString &label : labels) {
QByteArray labelBytes = label.toUtf8();
query.append(static_cast<char>(labelBytes.size()));
query.append(labelBytes);
}
query.append(static_cast<char>(0));
appendUint16BE(query, 16);
appendUint16BE(query, 1);
const quint16 optionDataLen = 4 + 18;
query.append(static_cast<char>(0));
appendUint16BE(query, 41);
appendUint16BE(query, 4096);
query.append(static_cast<char>(0));
query.append(static_cast<char>(0));
appendUint16BE(query, 0);
appendUint16BE(query, optionDataLen);
appendUint16BE(query, EDNS0_CHUNK_REQUEST_CODE);
appendUint16BE(query, 18);
query.append(chunkId.left(16).leftJustified(16, '\0'));
appendUint16BE(query, chunkIndex);
return query;
}
ChunkMeta parseChunkMeta(const QByteArray &response)
{
ChunkMeta meta;
if (response.size() < 12) return meta;
const quint8 *data = reinterpret_cast<const quint8 *>(response.constData());
const quint16 qdCount = (data[4] << 8) | data[5];
const quint16 anCount = (data[6] << 8) | data[7];
const quint16 nsCount = (data[8] << 8) | data[9];
const quint16 arCount = (data[10] << 8) | data[11];
int pos = 12;
auto skipDnsName = [&]() -> bool {
int maxLabels = 128;
while (pos < response.size() && data[pos] != 0 && maxLabels-- > 0) {
if ((data[pos] & 0xC0) == 0xC0) {
pos += 2;
return pos <= response.size();
}
const int labelLen = data[pos];
if (pos + 1 + labelLen > response.size()) return false;
pos += labelLen + 1;
}
if (pos < response.size() && data[pos] == 0) pos++;
return pos <= response.size();
};
for (int i = 0; i < qdCount && pos < response.size(); ++i) {
if (!skipDnsName()) return meta;
if (pos + 4 > response.size()) return meta;
pos += 4;
}
for (int i = 0; i < anCount && pos < response.size(); ++i) {
if (!skipDnsName()) return meta;
if (pos + 10 > response.size()) return meta;
const quint16 rdlen = (data[pos + 8] << 8) | data[pos + 9];
if (pos + 10 + rdlen > response.size()) return meta;
pos += 10 + rdlen;
}
for (int i = 0; i < nsCount && pos < response.size(); ++i) {
if (!skipDnsName()) return meta;
if (pos + 10 > response.size()) return meta;
const quint16 rdlen = (data[pos + 8] << 8) | data[pos + 9];
if (pos + 10 + rdlen > response.size()) return meta;
pos += 10 + rdlen;
}
for (int i = 0; i < arCount && pos < response.size(); ++i) {
if (pos < response.size() && data[pos] == 0) {
pos++;
} else {
if (!skipDnsName()) return meta;
}
if (pos + 10 > response.size()) return meta;
const quint16 rtype = (data[pos] << 8) | data[pos + 1];
const quint16 rdlen = (data[pos + 8] << 8) | data[pos + 9];
if (pos + 10 + rdlen > response.size()) return meta;
pos += 10;
if (rtype == 41 && rdlen > 0) {
const int optEnd = pos + rdlen;
while (pos + 4 <= optEnd) {
const quint16 optCode = (data[pos] << 8) | data[pos + 1];
const quint16 optLen = (data[pos + 2] << 8) | data[pos + 3];
pos += 4;
if (optCode == EDNS0_CHUNK_RESPONSE_CODE && optLen >= 24) {
meta.chunkId = QByteArray(reinterpret_cast<const char *>(data + pos), 16);
meta.totalChunks = (data[pos + 16] << 8) | data[pos + 17];
meta.chunkIndex = (data[pos + 18] << 8) | data[pos + 19];
meta.totalSize = (static_cast<quint32>(data[pos + 20]) << 24)
| (static_cast<quint32>(data[pos + 21]) << 16)
| (static_cast<quint32>(data[pos + 22]) << 8) | data[pos + 23];
return meta;
}
pos += optLen;
}
} else {
pos += rdlen;
}
}
return meta;
}
QByteArray buildDnsTxtQueryWithPayload(const QString &queryName, quint16 transactionId, const QByteArray &payload)
{
QByteArray query;
appendUint16BE(query, transactionId);
appendUint16BE(query, 0x0100);
appendUint16BE(query, 1);
appendUint16BE(query, 0);
appendUint16BE(query, 0);
appendUint16BE(query, 1);
const QStringList labels = queryName.split('.');
for (const QString &label : labels) {
QByteArray labelBytes = label.toUtf8();
query.append(static_cast<char>(labelBytes.size()));
query.append(labelBytes);
}
query.append(static_cast<char>(0));
appendUint16BE(query, 16);
appendUint16BE(query, 1);
const QByteArray payloadBase64 = payload.toBase64();
const quint16 optionDataLen = 4 + payloadBase64.size();
query.append(static_cast<char>(0));
appendUint16BE(query, 41);
appendUint16BE(query, 4096);
query.append(static_cast<char>(0));
query.append(static_cast<char>(0));
appendUint16BE(query, 0);
appendUint16BE(query, optionDataLen);
appendUint16BE(query, EDNS0_PAYLOAD_OPTION_CODE);
appendUint16BE(query, payloadBase64.size());
query.append(payloadBase64);
return query;
}
QByteArray parseDnsTxtResponse(const QByteArray &response)
{
if (response.size() < 12) {
return QByteArray();
}
const uchar *data = reinterpret_cast<const uchar *>(response.constData());
int pos = 0;
pos += 2;
const quint16 flags = (data[pos] << 8) | data[pos + 1]; pos += 2;
const quint16 qdCount = (data[pos] << 8) | data[pos + 1]; pos += 2;
const quint16 anCount = (data[pos] << 8) | data[pos + 1]; pos += 2;
pos += 2;
pos += 2;
if ((flags & 0x8000) == 0) {
return QByteArray();
}
if (anCount > 100 || qdCount > 10) {
return QByteArray();
}
auto skipDnsName = [&]() -> bool {
int maxLabels = 128;
while (pos < response.size() && data[pos] != 0 && maxLabels-- > 0) {
if ((data[pos] & 0xC0) == 0xC0) {
pos += 2;
return pos <= response.size();
}
const int labelLen = data[pos];
if (pos + 1 + labelLen > response.size()) return false;
pos += labelLen + 1;
}
if (pos < response.size() && data[pos] == 0) pos++;
return pos <= response.size();
};
for (int i = 0; i < qdCount && pos < response.size(); ++i) {
if (!skipDnsName()) {
return QByteArray();
}
if (pos + 4 > response.size()) return QByteArray();
pos += 4;
}
QByteArray combinedTxt;
for (int i = 0; i < anCount && pos < response.size(); ++i) {
if (!skipDnsName()) {
break;
}
if (pos + 10 > response.size()) {
break;
}
const quint16 rtype = (data[pos] << 8) | data[pos + 1]; pos += 2;
pos += 2; // class
pos += 4; // ttl
const quint16 rdlength = (data[pos] << 8) | data[pos + 1]; pos += 2;
if (pos + rdlength > response.size()) {
break;
}
if (rtype == 16) {
const int rdEnd = pos + rdlength;
while (pos < rdEnd && pos < response.size()) {
const quint8 txtLen = data[pos++];
if (txtLen > 0 && pos + txtLen <= rdEnd && pos + txtLen <= response.size()) {
combinedTxt.append(reinterpret_cast<const char *>(data + pos), txtLen);
pos += txtLen;
} else {
break;
}
}
} else {
pos += rdlength;
}
}
if (combinedTxt.isEmpty()) {
return QByteArray();
}
return QByteArray::fromBase64(combinedTxt);
}
} // namespace
QByteArray send(const QByteArray &payload,
const QString &endpointName,
const QString &baseDomain,
const QString &dnsServer,
DnsProtocol protocol,
quint16 port,
int timeoutMsecs,
const QString &dohEndpoint)
{
const QString queryName = QStringLiteral("%1.%2").arg(endpointName, baseDomain);
switch (protocol) {
case DnsProtocol::Udp:
return sendOverUdpChunked(payload, queryName, dnsServer, port, timeoutMsecs);
case DnsProtocol::Tcp:
return sendOverTcp(payload, queryName, dnsServer, port, timeoutMsecs);
case DnsProtocol::Tls:
return sendOverTls(payload, queryName, dnsServer, port, timeoutMsecs);
case DnsProtocol::Https:
return sendOverHttps(payload, queryName, dnsServer, port, dohEndpoint, timeoutMsecs);
case DnsProtocol::Quic:
return QByteArray();
}
return QByteArray();
}
QByteArray sendOverUdp(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs)
{
QUdpSocket socket;
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsTxtQueryWithPayload(queryName, transactionId, payload);
if (query.isEmpty()) {
return QByteArray();
}
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
return QByteArray();
}
const qint64 bytesWritten = socket.writeDatagram(query, dnsAddress, port);
if (bytesWritten != query.size()) {
return QByteArray();
}
QElapsedTimer timer;
timer.start();
while (timer.elapsed() < timeoutMsecs) {
if (socket.waitForReadyRead(qMax(1, timeoutMsecs - static_cast<int>(timer.elapsed())))) {
while (socket.hasPendingDatagrams()) {
QNetworkDatagram datagram = socket.receiveDatagram();
if (datagram.isValid()) {
return parseDnsTxtResponse(datagram.data());
}
}
}
}
return QByteArray();
}
QByteArray sendOverTcp(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs)
{
qDebug() << "[DNS-TCP] start: queryName=" << queryName << "server=" << dnsServer
<< "port=" << port << "payloadBytes=" << payload.size();
QTcpSocket socket;
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
qWarning() << "[DNS-TCP] failed to resolve" << dnsServer;
return QByteArray();
}
socket.connectToHost(dnsAddress, port);
if (!socket.waitForConnected(timeoutMsecs)) {
qWarning() << "[DNS-TCP] connect failed:" << socket.errorString();
return QByteArray();
}
qDebug() << "[DNS-TCP] connected";
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsTxtQueryWithPayload(queryName, transactionId, payload);
if (query.isEmpty()) {
qWarning() << "[DNS-TCP] failed to build DNS query";
socket.close();
return QByteArray();
}
qDebug() << "[DNS-TCP] built DNS query bytes=" << query.size() << "txid=" << transactionId;
qDebug() << "[DNS-TCP] query head hex (first 64 bytes):"
<< query.left(64).toHex(' ');
qDebug() << "[DNS-TCP] query tail hex (last 32 bytes):"
<< query.right(32).toHex(' ');
quint16 length = qToBigEndian<quint16>(static_cast<quint16>(query.size()));
QByteArray tcpQuery;
tcpQuery.append(reinterpret_cast<const char *>(&length), sizeof(quint16));
tcpQuery.append(query);
const qint64 bytesWritten = socket.write(tcpQuery);
qDebug() << "[DNS-TCP] wrote bytes=" << bytesWritten << "/ expected=" << tcpQuery.size();
if (bytesWritten != tcpQuery.size() || !socket.waitForBytesWritten(timeoutMsecs)) {
qWarning() << "[DNS-TCP] write failed:" << socket.errorString();
socket.close();
return QByteArray();
}
QElapsedTimer timer;
timer.start();
while (socket.bytesAvailable() < 2) {
const int remaining = timeoutMsecs - timer.elapsed();
if (remaining <= 0 || !socket.waitForReadyRead(remaining)) {
qWarning() << "[DNS-TCP] timeout waiting for response length, socketState="
<< socket.state() << "err=" << socket.errorString()
<< "bytesAvailable=" << socket.bytesAvailable();
socket.close();
return QByteArray();
}
}
QByteArray lengthBytes = socket.read(2);
if (lengthBytes.size() != 2) {
qWarning() << "[DNS-TCP] could not read length prefix";
socket.close();
return QByteArray();
}
const quint16 responseLength =
qFromBigEndian<quint16>(*reinterpret_cast<const quint16 *>(lengthBytes.constData()));
qDebug() << "[DNS-TCP] response length prefix=" << responseLength;
QByteArray response;
while (response.size() < responseLength) {
const int remaining = timeoutMsecs - timer.elapsed();
if (remaining <= 0) {
qWarning() << "[DNS-TCP] timeout reading body, got" << response.size() << "/" << responseLength;
socket.close();
return QByteArray();
}
if (socket.bytesAvailable() > 0) {
response.append(socket.read(responseLength - response.size()));
} else if (!socket.waitForReadyRead(remaining)) {
qWarning() << "[DNS-TCP] timeout in waitForReadyRead, got" << response.size() << "/" << responseLength;
socket.close();
return QByteArray();
}
}
qDebug() << "[DNS-TCP] full response read, bytes=" << response.size();
socket.close();
QByteArray parsed = parseDnsTxtResponse(response);
qDebug() << "[DNS-TCP] parsed TXT payload bytes=" << parsed.size();
return parsed;
}
QByteArray sendOverTls(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs)
{
QSslSocket socket;
#ifdef AGW_INSECURE_SSL
socket.setPeerVerifyMode(QSslSocket::VerifyNone);
QObject::connect(&socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors),
&socket, [&socket](const QList<QSslError> &errs) {
qWarning() << "[DoT] sslErrors (ignored, AGW_INSECURE_SSL=1):" << errs;
socket.ignoreSslErrors();
});
#else
socket.setPeerVerifyMode(QSslSocket::VerifyPeer);
#endif
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
qWarning() << "[DoT] failed to resolve" << dnsServer;
return QByteArray();
}
socket.connectToHostEncrypted(dnsServer, port);
if (!socket.waitForEncrypted(timeoutMsecs)) {
qWarning() << "[DoT] handshake failed:" << socket.errorString();
return QByteArray();
}
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray query = buildDnsTxtQueryWithPayload(queryName, transactionId, payload);
if (query.isEmpty()) {
socket.close();
return QByteArray();
}
quint16 length = qToBigEndian<quint16>(static_cast<quint16>(query.size()));
QByteArray tcpQuery;
tcpQuery.append(reinterpret_cast<const char *>(&length), sizeof(quint16));
tcpQuery.append(query);
const qint64 bytesWritten = socket.write(tcpQuery);
if (bytesWritten != tcpQuery.size() || !socket.waitForBytesWritten(timeoutMsecs)) {
socket.close();
return QByteArray();
}
QElapsedTimer timer;
timer.start();
while (socket.bytesAvailable() < 2) {
const int remaining = timeoutMsecs - timer.elapsed();
if (remaining <= 0 || !socket.waitForReadyRead(remaining)) {
socket.close();
return QByteArray();
}
}
QByteArray lengthBytes = socket.read(2);
if (lengthBytes.size() != 2) {
socket.close();
return QByteArray();
}
const quint16 responseLength =
qFromBigEndian<quint16>(*reinterpret_cast<const quint16 *>(lengthBytes.constData()));
QByteArray response;
while (response.size() < responseLength) {
const int remaining = timeoutMsecs - timer.elapsed();
if (remaining <= 0) {
socket.close();
return QByteArray();
}
if (socket.bytesAvailable() > 0) {
response.append(socket.read(responseLength - response.size()));
} else if (!socket.waitForReadyRead(remaining)) {
socket.close();
return QByteArray();
}
}
socket.close();
return parseDnsTxtResponse(response);
}
QByteArray sendOverHttps(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, const QString &endpoint, int timeoutMsecs)
{
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray dnsQuery = buildDnsTxtQueryWithPayload(queryName, transactionId, payload);
qDebug() << "[DoH] queryName=" << queryName << "payloadBytes=" << payload.size()
<< "dnsQueryBytes=" << dnsQuery.size() << "txid=" << transactionId;
if (dnsQuery.isEmpty()) {
qWarning() << "[DoH] failed to build DNS query (payload too big or queryName invalid)";
return QByteArray();
}
const QString scheme = (port == 443) ? QStringLiteral("https") : QStringLiteral("http");
const QString url = QStringLiteral("%1://%2:%3%4").arg(scheme).arg(dnsServer).arg(port).arg(endpoint);
qDebug() << "[DoH] POST" << url << "timeoutMs=" << timeoutMsecs;
QNetworkRequest request((QUrl(url)));
request.setHeader(QNetworkRequest::ContentTypeHeader, "application/dns-message");
request.setRawHeader("Accept", "application/dns-message");
request.setTransferTimeout(timeoutMsecs);
QNetworkAccessManager manager;
QNetworkReply *reply = manager.post(request, dnsQuery);
QObject::connect(reply, &QNetworkReply::sslErrors, reply,
[reply](const QList<QSslError> &errs) {
qWarning() << "[DoH] sslErrors:" << errs;
#ifdef AGW_INSECURE_SSL
qWarning() << "[DoH] AGW_INSECURE_SSL=1, ignoring SSL errors";
reply->ignoreSslErrors();
#endif
});
QEventLoop loop;
QObject::connect(reply, &QNetworkReply::finished, &loop, &QEventLoop::quit);
QTimer::singleShot(timeoutMsecs, &loop, &QEventLoop::quit);
loop.exec();
if (!reply->isFinished()) {
qWarning() << "[DoH] timeout after" << timeoutMsecs << "ms, aborting";
reply->abort();
reply->deleteLater();
return QByteArray();
}
if (reply->error() != QNetworkReply::NoError) {
qWarning() << "[DoH] reply error:" << reply->error() << reply->errorString()
<< "httpStatus=" << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute);
reply->deleteLater();
return QByteArray();
}
QByteArray response = reply->readAll();
qDebug() << "[DoH] raw HTTP response bytes=" << response.size()
<< "httpStatus=" << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute);
reply->deleteLater();
if (response.isEmpty()) {
qWarning() << "[DoH] empty HTTP response body";
return QByteArray();
}
QByteArray parsed = parseDnsTxtResponse(response);
qDebug() << "[DoH] parsed TXT payload bytes=" << parsed.size();
return parsed;
}
QByteArray sendOverUdpChunked(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs)
{
qDebug() << "[DNS-UDP] start: queryName=" << queryName << "server=" << dnsServer
<< "port=" << port << "payloadBytes=" << payload.size() << "timeoutMs=" << timeoutMsecs;
const QHostAddress dnsAddress = resolveHostAddress(dnsServer);
if (dnsAddress.isNull()) {
qWarning() << "[DNS-UDP] failed to resolve" << dnsServer;
return QByteArray();
}
qDebug() << "[DNS-UDP] resolved to" << dnsAddress.toString();
constexpr int MAX_INITIAL_RETRIES = 3;
constexpr int MAX_CHUNK_RETRIES = 2;
constexpr int MAX_CONCURRENT_REQUESTS = 5;
constexpr int BASE_TIMEOUT_MS = 2000;
auto sendUdpRequestWithTimeout = [&](const QByteArray &query, int requestTimeoutMs) -> QByteArray {
QUdpSocket socket;
const qint64 written = socket.writeDatagram(query, dnsAddress, port);
if (written != query.size()) {
return QByteArray();
}
QElapsedTimer timer;
timer.start();
while (timer.elapsed() < requestTimeoutMs) {
if (socket.waitForReadyRead(qMax(1, requestTimeoutMs - static_cast<int>(timer.elapsed())))) {
while (socket.hasPendingDatagrams()) {
QNetworkDatagram datagram = socket.receiveDatagram();
if (datagram.isValid()) {
return datagram.data();
}
}
}
}
return QByteArray();
};
auto sendWithRetry = [&](const QByteArray &query, int maxRetries) -> QByteArray {
for (int attempt = 0; attempt < maxRetries; ++attempt) {
const int timeout = BASE_TIMEOUT_MS * (attempt + 1);
QByteArray response = sendUdpRequestWithTimeout(query, timeout);
if (!response.isEmpty()) {
return response;
}
if (attempt < maxRetries - 1) {
QThread::msleep(timeout / 2);
}
}
return QByteArray();
};
const quint16 transactionId = static_cast<quint16>(QDateTime::currentMSecsSinceEpoch() & 0xFFFF);
const QByteArray initialQuery = buildDnsTxtQueryWithPayload(queryName, transactionId, payload);
qDebug() << "[DNS-UDP] initialQuery size=" << initialQuery.size() << "txid=" << transactionId;
if (initialQuery.isEmpty()) {
qWarning() << "[DNS-UDP] failed to build initial query (payload too big or queryName invalid)";
return QByteArray();
}
const QByteArray firstResponse = sendWithRetry(initialQuery, MAX_INITIAL_RETRIES);
qDebug() << "[DNS-UDP] first response size=" << firstResponse.size();
if (firstResponse.isEmpty()) {
qWarning() << "[DNS-UDP] no response from server after" << MAX_INITIAL_RETRIES << "retries";
return QByteArray();
}
const ChunkMeta meta = parseChunkMeta(firstResponse);
const QByteArray firstTxtData = parseDnsTxtResponse(firstResponse);
qDebug() << "[DNS-UDP] meta totalChunks=" << meta.totalChunks
<< "chunkId=" << meta.chunkId << "firstTxtData size=" << firstTxtData.size();
if (firstTxtData.isEmpty()) {
qWarning() << "[DNS-UDP] failed to parse TXT data from first response";
return QByteArray();
}
if (meta.totalChunks <= 1) {
qDebug() << "[DNS-UDP] single chunk, returning" << firstTxtData.size() << "bytes";
return firstTxtData;
}
QMap<int, QByteArray> chunks;
chunks[0] = firstTxtData;
auto requestChunksBatch = [&](const QList<int> &chunkIndices, int batchTimeout) {
if (chunkIndices.isEmpty()) return;
QList<QSharedPointer<QUdpSocket>> sockets;
QMap<QUdpSocket *, int> socketToIndex;
for (int idx : chunkIndices) {
if (chunks.contains(idx)) continue;
const quint16 chunkTxId =
static_cast<quint16>((QDateTime::currentMSecsSinceEpoch() + idx) & 0xFFFF);
const QByteArray chunkQuery =
buildDnsChunkRequest(queryName, chunkTxId, meta.chunkId, idx);
if (chunkQuery.isEmpty()) {
continue;
}
auto socket = QSharedPointer<QUdpSocket>::create();
socket->writeDatagram(chunkQuery, dnsAddress, port);
socketToIndex[socket.data()] = idx;
sockets.append(socket);
}
if (sockets.isEmpty()) return;
QElapsedTimer deadline;
deadline.start();
int receivedCount = 0;
const int expectedCount = sockets.size();
while (deadline.elapsed() < batchTimeout && receivedCount < expectedCount
&& chunks.size() < meta.totalChunks) {
for (auto &socket : sockets) {
if (socket->waitForReadyRead(50)) {
while (socket->hasPendingDatagrams()) {
QNetworkDatagram datagram = socket->receiveDatagram();
if (datagram.isValid()) {
const QByteArray chunkTxtData = parseDnsTxtResponse(datagram.data());
if (!chunkTxtData.isEmpty()) {
const ChunkMeta chunkMeta = parseChunkMeta(datagram.data());
const int idx = (chunkMeta.totalChunks > 0)
? chunkMeta.chunkIndex
: socketToIndex.value(socket.data(), -1);
if (idx >= 0 && !chunks.contains(idx)) {
chunks[idx] = chunkTxtData;
receivedCount++;
}
}
}
}
}
}
}
};
const int totalTimeout = qMax(timeoutMsecs / 2, 5000);
const int batchTimeout = totalTimeout / (MAX_CHUNK_RETRIES + 1);
for (int retryRound = 0; retryRound <= MAX_CHUNK_RETRIES; ++retryRound) {
QList<int> missing;
for (int i = 1; i < meta.totalChunks; ++i) {
if (!chunks.contains(i)) {
missing.append(i);
}
}
if (missing.isEmpty()) {
break;
}
for (int batchStart = 0; batchStart < missing.size(); batchStart += MAX_CONCURRENT_REQUESTS) {
const QList<int> batch = missing.mid(batchStart, MAX_CONCURRENT_REQUESTS);
requestChunksBatch(batch, batchTimeout);
}
}
QList<int> finalMissing;
for (int i = 0; i < meta.totalChunks; ++i) {
if (!chunks.contains(i)) {
finalMissing.append(i);
}
}
if (!finalMissing.isEmpty()) {
return QByteArray();
}
QByteArray combined;
combined.reserve(meta.totalSize > 0 ? meta.totalSize : meta.totalChunks * 500);
for (int i = 0; i < meta.totalChunks; ++i) {
combined.append(chunks[i]);
}
return combined;
}
} // namespace amnezia::transport::dns::DnsTunnel

35
client/core/transport/dns/dnsTunnel.h Normal file
View File

@@ -0,0 +1,35 @@
#ifndef DNSTUNNEL_H
#define DNSTUNNEL_H
#include <QByteArray>
#include <QString>
#include "dnsResolver.h"
namespace amnezia::transport::dns::DnsTunnel
{
QByteArray send(const QByteArray &payload,
const QString &endpointName,
const QString &baseDomain,
const QString &dnsServer,
DnsProtocol protocol,
quint16 port,
int timeoutMsecs = 30000,
const QString &dohEndpoint = QStringLiteral("/dns-query"));
QByteArray sendOverUdp(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
QByteArray sendOverTcp(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
QByteArray sendOverTls(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
QByteArray sendOverHttps(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, const QString &endpoint, int timeoutMsecs);
QByteArray sendOverUdpChunked(const QByteArray &payload, const QString &queryName,
const QString &dnsServer, quint16 port, int timeoutMsecs);
} // namespace amnezia::transport::dns::DnsTunnel
#endif // DNSTUNNEL_H

157
client/core/transport/dnsGatewayTransport.cpp Normal file
View File

@@ -0,0 +1,157 @@
#include "dnsGatewayTransport.h"
#include <QDebug>
#include <QHostAddress>
#include <QHostInfo>
#include <QSharedPointer>
#include <QStringList>
#include "dns/dnsTunnel.h"
#include "core/networkUtilities.h"
#ifdef AMNEZIA_DESKTOP
#include "core/ipcclient.h"
#endif
namespace amnezia::transport
{
DnsGatewayTransport::DnsGatewayTransport(dns::DnsProtocol protocol,
const QString &dnsServer,
const QString &baseDomain,
quint16 port,
int timeoutMsecs,
bool isStrictKillSwitchEnabled,
const QString &dohEndpoint)
: m_protocol(protocol),
m_dnsServer(dnsServer),
m_baseDomain(baseDomain),
m_port(port),
m_timeoutMsecs(timeoutMsecs),
m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled),
m_dohEndpoint(dohEndpoint)
{
}
QString DnsGatewayTransport::name() const
{
switch (m_protocol) {
case dns::DnsProtocol::Udp: return QStringLiteral("DNS-UDP");
case dns::DnsProtocol::Tcp: return QStringLiteral("DNS-TCP");
case dns::DnsProtocol::Tls: return QStringLiteral("DNS-DoT");
case dns::DnsProtocol::Https: return QStringLiteral("DNS-DoH");
case dns::DnsProtocol::Quic: return QStringLiteral("DNS-DoQ");
}
return QStringLiteral("DNS");
}
QString DnsGatewayTransport::resolveServerOnce()
{
if (m_resolved.load()) {
return m_resolvedServerIp;
}
QHostAddress addr(m_dnsServer);
if (!addr.isNull()) {
m_resolvedServerIp = m_dnsServer;
} else {
QHostInfo info = QHostInfo::fromName(m_dnsServer);
if (!info.addresses().isEmpty()) {
m_resolvedServerIp = info.addresses().first().toString();
} else {
m_resolvedServerIp = m_dnsServer;
}
}
m_resolved.store(true);
return m_resolvedServerIp;
}
void DnsGatewayTransport::applyKillSwitchAllowlist(const QString &ip)
{
#ifdef AMNEZIA_DESKTOP
if (!m_isStrictKillSwitchEnabled || ip.isEmpty()) {
return;
}
IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QStringList { ip });
if (!reply.waitForFinished(1000) || !reply.returnValue()) {
qWarning() << "DnsGatewayTransport: addKillSwitchAllowedRange failed for" << ip;
}
});
#else
Q_UNUSED(ip)
#endif
}
amnezia::ErrorCode DnsGatewayTransport::send(const QString &endpointTemplate,
const QByteArray &requestBody,
QByteArray &decryptedResponse,
const DecryptionHook &decryptionHook)
{
QString endpointName = endpointTemplate;
endpointName.remove("%1");
if (endpointName.startsWith(QLatin1String("v1/"))) {
endpointName = endpointName.mid(3);
}
while (endpointName.endsWith(QLatin1Char('/'))) {
endpointName.chop(1);
}
while (endpointName.startsWith(QLatin1Char('/'))) {
endpointName = endpointName.mid(1);
}
qDebug() << "[DNS-Transport]" << name() << "send() endpointTemplate=" << endpointTemplate
<< "endpointName=" << endpointName << "baseDomain=" << m_baseDomain
<< "server=" << m_dnsServer << "port=" << m_port
<< "dohPath=" << m_dohEndpoint << "timeoutMs=" << m_timeoutMsecs
<< "requestBodyBytes=" << requestBody.size();
if (endpointName.isEmpty() || m_baseDomain.isEmpty() || m_dnsServer.isEmpty()) {
qWarning() << "[DNS-Transport] ABORT: empty endpoint/baseDomain/server";
return amnezia::ErrorCode::AmneziaServiceConnectionFailed;
}
const bool needsHostname = (m_protocol == dns::DnsProtocol::Tls
|| m_protocol == dns::DnsProtocol::Https);
QString serverIp = resolveServerOnce();
QString serverForRequest = needsHostname ? m_dnsServer : serverIp;
qDebug() << "[DNS-Transport] resolved server IP=" << serverIp
<< "serverForRequest=" << serverForRequest
<< "needsHostname=" << needsHostname;
applyKillSwitchAllowlist(serverIp);
const QByteArray encrypted = dns::DnsTunnel::send(requestBody,
endpointName,
m_baseDomain,
serverForRequest,
m_protocol,
m_port,
m_timeoutMsecs,
m_dohEndpoint);
qDebug() << "[DNS-Transport] DnsTunnel::send returned" << encrypted.size() << "bytes";
if (encrypted.isEmpty()) {
qWarning() << "[DNS-Transport] DnsTunnel returned empty payload, treat as connection failure";
return amnezia::ErrorCode::AmneziaServiceConnectionFailed;
}
if (!decryptionHook) {
qCritical() << "[DNS-Transport] decryption hook is null";
return amnezia::ErrorCode::ApiConfigDecryptionError;
}
DecryptionResult decrypted = decryptionHook(encrypted);
if (!decrypted.isOk) {
qCritical() << "[DNS-Transport] response decryption failed (encrypted bytes="
<< encrypted.size() << ")";
return amnezia::ErrorCode::ApiConfigDecryptionError;
}
qDebug() << "[DNS-Transport] success, decrypted response bytes=" << decrypted.decrypted.size();
decryptedResponse = decrypted.decrypted;
return amnezia::ErrorCode::NoError;
}
} // namespace amnezia::transport

49
client/core/transport/dnsGatewayTransport.h Normal file
View File

@@ -0,0 +1,49 @@
#ifndef DNSGATEWAYTRANSPORT_H
#define DNSGATEWAYTRANSPORT_H
#include <QString>
#include <atomic>
#include "dns/dnsResolver.h"
#include "igatewaytransport.h"
namespace amnezia::transport
{
class DnsGatewayTransport : public IGatewayTransport
{
public:
DnsGatewayTransport(dns::DnsProtocol protocol,
const QString &dnsServer,
const QString &baseDomain,
quint16 port,
int timeoutMsecs,
bool isStrictKillSwitchEnabled,
const QString &dohEndpoint = QStringLiteral("/dns-query"));
QString name() const override;
amnezia::ErrorCode send(const QString &endpointTemplate,
const QByteArray &requestBody,
QByteArray &decryptedResponse,
const DecryptionHook &decryptionHook) override;
private:
QString resolveServerOnce();
void applyKillSwitchAllowlist(const QString &ip);
dns::DnsProtocol m_protocol;
QString m_dnsServer;
QString m_baseDomain;
quint16 m_port;
int m_timeoutMsecs;
bool m_isStrictKillSwitchEnabled;
QString m_dohEndpoint;
std::atomic_bool m_resolved{ false };
QString m_resolvedServerIp;
};
} // namespace amnezia::transport
#endif // DNSGATEWAYTRANSPORT_H

345
client/core/transport/httpGatewayTransport.cpp Normal file
View File

@@ -0,0 +1,345 @@
#include "httpGatewayTransport.h"
#include <algorithm>
#include <random>
#include <QCryptographicHash>
#include <QDebug>
#include <QEventLoop>
#include <QHostAddress>
#include <QJsonArray>
#include <QJsonDocument>
#include <QMutexLocker>
#include <QNetworkAccessManager>
#include <QNetworkReply>
#include <QNetworkRequest>
#include <QSharedPointer>
#include <QThread>
#include <QUrl>
#include <QUuid>
#include "QBlockCipher.h"
#include "amnezia_application.h"
#include "core/api/apiUtils.h"
#include "core/networkUtilities.h"
#include "utilities.h"
#ifdef AMNEZIA_DESKTOP
#include "core/ipcclient.h"
#endif
#ifdef Q_OS_IOS
#include "platforms/ios/ios_controller.h"
#endif
namespace amnezia::transport
{
QMutex HttpGatewayTransport::s_proxyMutex;
QString HttpGatewayTransport::s_proxyUrl;
namespace
{
constexpr int kProxyHealthTimeoutMsecs = 1000;
constexpr int httpStatusCodeNotFound = 404;
constexpr int httpStatusCodeConflict = 409;
constexpr int httpStatusCodeNotImplemented = 501;
constexpr QLatin1String errorResponsePattern1("No active configuration found for");
constexpr QLatin1String errorResponsePattern2("No non-revoked public key found for");
constexpr QLatin1String errorResponsePattern3("Account not found.");
constexpr QLatin1String updateRequestResponsePattern("client version update is required");
} // namespace
HttpGatewayTransport::HttpGatewayTransport(const QString &endpoint,
bool isDevEnvironment,
int requestTimeoutMsecs,
bool isStrictKillSwitchEnabled)
: m_endpoint(endpoint),
m_isDevEnvironment(isDevEnvironment),
m_requestTimeoutMsecs(requestTimeoutMsecs),
m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled)
{
}
void HttpGatewayTransport::applyKillSwitchAllowlist(const QString &host)
{
#ifdef AMNEZIA_DESKTOP
if (!m_isStrictKillSwitchEnabled || host.isEmpty()) {
return;
}
const QString ip = NetworkUtilities::getIPAddress(host);
if (ip.isEmpty()) {
return;
}
IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QStringList { ip });
if (!reply.waitForFinished(1000) || !reply.returnValue()) {
qWarning() << "HttpGatewayTransport: addKillSwitchAllowedRange failed for" << ip;
}
});
#else
Q_UNUSED(host)
#endif
}
HttpGatewayTransport::ReplyOutcome HttpGatewayTransport::doPost(const QString &fullUrl, const QByteArray &requestBody)
{
ReplyOutcome outcome;
#ifdef Q_OS_IOS
IosController::Instance()->requestInetAccess();
QThread::msleep(10);
#endif
QNetworkRequest request;
request.setTransferTimeout(m_requestTimeoutMsecs);
request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
request.setRawHeader("X-Client-Request-ID",
QUuid::createUuid().toString(QUuid::WithoutBraces).toUtf8());
request.setUrl(fullUrl);
applyKillSwitchAllowlist(QUrl(fullUrl).host());
QNetworkReply *reply = amnApp->networkManager()->post(request, requestBody);
QEventLoop wait;
QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
QObject::connect(reply, &QNetworkReply::sslErrors, [&, reply](const QList<QSslError> &errors) {
outcome.sslErrors = errors;
#ifdef AGW_INSECURE_SSL
qWarning() << "[HTTP] sslErrors (ignored, AGW_INSECURE_SSL=1):" << errors;
reply->ignoreSslErrors();
outcome.sslErrors.clear();
#endif
});
wait.exec(QEventLoop::ExcludeUserInputEvents);
outcome.encryptedBody = reply->readAll();
outcome.errorString = reply->errorString();
outcome.networkError = reply->error();
outcome.httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
reply->deleteLater();
return outcome;
}
bool HttpGatewayTransport::shouldBypass(const ReplyOutcome &outcome, const DecryptionResult &decrypted) const
{
if (!outcome.sslErrors.isEmpty()) {
return false;
}
if (!decrypted.isOk) {
return true;
}
int apiHttpStatus = -1;
QJsonDocument jsonDoc = QJsonDocument::fromJson(decrypted.decrypted);
if (jsonDoc.isObject()) {
apiHttpStatus = jsonDoc.object().value("http_status").toInt(-1);
}
if (outcome.networkError == QNetworkReply::NetworkError::OperationCanceledError
|| outcome.networkError == QNetworkReply::NetworkError::TimeoutError) {
return true;
}
if (decrypted.decrypted.contains("html")) {
return true;
}
if (apiHttpStatus == httpStatusCodeNotFound) {
if (decrypted.decrypted.contains(errorResponsePattern1)
|| decrypted.decrypted.contains(errorResponsePattern2)
|| decrypted.decrypted.contains(errorResponsePattern3)) {
return false;
}
return true;
}
if (apiHttpStatus == httpStatusCodeNotImplemented) {
if (decrypted.decrypted.contains(updateRequestResponsePattern)) {
return false;
}
return true;
}
if (apiHttpStatus == httpStatusCodeConflict) {
return false;
}
if (outcome.networkError != QNetworkReply::NetworkError::NoError) {
return true;
}
return false;
}
QStringList HttpGatewayTransport::fetchProxyUrls(const QByteArray &/*serviceHint*/)
{
QStringList baseUrls = m_isDevEnvironment
? QString(DEV_S3_ENDPOINT).split(", ")
: QString(PROD_S3_ENDPOINT).split(", ");
QByteArray rsaKey = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
QStringList proxyStorageUrls;
for (const auto &baseUrl : baseUrls) {
proxyStorageUrls.push_back(baseUrl + "endpoints.json");
}
QNetworkRequest request;
request.setTransferTimeout(m_requestTimeoutMsecs);
request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
for (const auto &proxyStorageUrl : proxyStorageUrls) {
request.setUrl(proxyStorageUrl);
QNetworkReply *reply = amnApp->networkManager()->get(request);
QEventLoop wait;
QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
wait.exec(QEventLoop::ExcludeUserInputEvents);
if (reply->error() != QNetworkReply::NoError) {
reply->deleteLater();
continue;
}
QByteArray encryptedResponseBody = reply->readAll();
reply->deleteLater();
QByteArray responseBody;
try {
if (!m_isDevEnvironment) {
QCryptographicHash hash(QCryptographicHash::Sha512);
hash.addData(rsaKey);
QByteArray hashResult = hash.result().toHex();
QByteArray key = QByteArray::fromHex(hashResult.left(64));
QByteArray iv = QByteArray::fromHex(hashResult.mid(64, 32));
QSimpleCrypto::QBlockCipher blockCipher;
responseBody = blockCipher.decryptAesBlockCipher(QByteArray::fromBase64(encryptedResponseBody), key, iv);
} else {
responseBody = encryptedResponseBody;
}
} catch (...) {
Utils::logException();
qCritical() << "HttpGatewayTransport: error decrypting proxy storage payload";
continue;
}
QJsonArray endpointsArray = QJsonDocument::fromJson(responseBody).array();
QStringList endpoints;
endpoints.reserve(endpointsArray.size());
for (const QJsonValue &endpoint : endpointsArray) {
endpoints.push_back(endpoint.toString());
}
return endpoints;
}
return {};
}
amnezia::ErrorCode HttpGatewayTransport::send(const QString &endpointTemplate,
const QByteArray &requestBody,
QByteArray &decryptedResponse,
const DecryptionHook &decryptionHook)
{
auto buildOutcome = [&](const QString &gatewayBase) {
return doPost(endpointTemplate.arg(gatewayBase), requestBody);
};
auto tryDecrypt = [&](const QByteArray &encrypted) -> DecryptionResult {
if (!decryptionHook) {
DecryptionResult r;
r.decrypted = encrypted;
r.isOk = false;
return r;
}
return decryptionHook(encrypted);
};
QString cachedProxy;
{
QMutexLocker lock(&s_proxyMutex);
cachedProxy = s_proxyUrl;
}
const QString primaryBase = cachedProxy.isEmpty() ? m_endpoint : cachedProxy;
ReplyOutcome outcome = buildOutcome(primaryBase);
DecryptionResult decrypted = tryDecrypt(outcome.encryptedBody);
if (outcome.sslErrors.isEmpty() && shouldBypass(outcome, decrypted)) {
QStringList proxyUrls = fetchProxyUrls(QByteArray());
std::random_device randomDevice;
std::mt19937 generator(randomDevice());
std::shuffle(proxyUrls.begin(), proxyUrls.end(), generator);
bool bypassResolved = false;
if (cachedProxy.isEmpty()) {
QNetworkRequest healthRequest;
healthRequest.setTransferTimeout(kProxyHealthTimeoutMsecs);
healthRequest.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
for (const QString &proxyUrl : std::as_const(proxyUrls)) {
healthRequest.setUrl(proxyUrl + "lmbd-health");
QNetworkReply *reply = amnApp->networkManager()->get(healthRequest);
QEventLoop wait;
QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
wait.exec(QEventLoop::ExcludeUserInputEvents);
const auto err = reply->error();
reply->deleteLater();
if (err == QNetworkReply::NoError) {
QMutexLocker lock(&s_proxyMutex);
s_proxyUrl = proxyUrl;
cachedProxy = proxyUrl;
break;
}
}
}
if (!cachedProxy.isEmpty()) {
ReplyOutcome retry = buildOutcome(cachedProxy);
DecryptionResult retryDecrypted = tryDecrypt(retry.encryptedBody);
if (retry.sslErrors.isEmpty() && !shouldBypass(retry, retryDecrypted)) {
outcome = retry;
decrypted = retryDecrypted;
bypassResolved = true;
}
}
if (!bypassResolved) {
for (const QString &proxyUrl : std::as_const(proxyUrls)) {
ReplyOutcome retry = buildOutcome(proxyUrl);
DecryptionResult retryDecrypted = tryDecrypt(retry.encryptedBody);
if (retry.sslErrors.isEmpty() && !shouldBypass(retry, retryDecrypted)) {
{
QMutexLocker lock(&s_proxyMutex);
s_proxyUrl = proxyUrl;
}
outcome = retry;
decrypted = retryDecrypted;
bypassResolved = true;
break;
}
}
}
}
auto errorCode = apiUtils::checkNetworkReplyErrors(outcome.sslErrors,
outcome.errorString,
outcome.networkError,
outcome.httpStatusCode,
decrypted.decrypted);
if (errorCode != amnezia::ErrorCode::NoError) {
return errorCode;
}
if (!decrypted.isOk) {
qCritical() << "HttpGatewayTransport: response decryption failed";
return amnezia::ErrorCode::ApiConfigDecryptionError;
}
decryptedResponse = decrypted.decrypted;
return amnezia::ErrorCode::NoError;
}
} // namespace amnezia::transport

58
client/core/transport/httpGatewayTransport.h Normal file
View File

@@ -0,0 +1,58 @@
#ifndef HTTPGATEWAYTRANSPORT_H
#define HTTPGATEWAYTRANSPORT_H
#include <QByteArray>
#include <QList>
#include <QMutex>
#include <QNetworkReply>
#include <QSslError>
#include <QString>
#include <QStringList>
#include "igatewaytransport.h"
namespace amnezia::transport
{
class HttpGatewayTransport : public IGatewayTransport
{
public:
HttpGatewayTransport(const QString &endpoint,
bool isDevEnvironment,
int requestTimeoutMsecs,
bool isStrictKillSwitchEnabled);
QString name() const override { return QStringLiteral("HTTP"); }
amnezia::ErrorCode send(const QString &endpointTemplate,
const QByteArray &requestBody,
QByteArray &decryptedResponse,
const DecryptionHook &decryptionHook) override;
private:
struct ReplyOutcome
{
QByteArray encryptedBody;
QList<QSslError> sslErrors;
QNetworkReply::NetworkError networkError = QNetworkReply::NoError;
QString errorString;
int httpStatusCode = 0;
};
ReplyOutcome doPost(const QString &fullUrl, const QByteArray &requestBody);
void applyKillSwitchAllowlist(const QString &host);
QStringList fetchProxyUrls(const QByteArray &serviceHint);
bool shouldBypass(const ReplyOutcome &outcome, const DecryptionResult &decrypted) const;
QString m_endpoint;
bool m_isDevEnvironment;
int m_requestTimeoutMsecs;
bool m_isStrictKillSwitchEnabled;
static QMutex s_proxyMutex;
static QString s_proxyUrl;
};
} // namespace amnezia::transport
#endif // HTTPGATEWAYTRANSPORT_H

36
client/core/transport/igatewaytransport.h Normal file
View File

@@ -0,0 +1,36 @@
#ifndef IGATEWAYTRANSPORT_H
#define IGATEWAYTRANSPORT_H
#include <QByteArray>
#include <QString>
#include <functional>
#include "core/defs.h"
namespace amnezia::transport
{
struct DecryptionResult
{
QByteArray decrypted;
bool isOk = false;
};
using DecryptionHook = std::function<DecryptionResult(const QByteArray &encrypted)>;
class IGatewayTransport
{
public:
virtual ~IGatewayTransport() = default;
virtual QString name() const = 0;
virtual amnezia::ErrorCode send(const QString &endpointTemplate,
const QByteArray &requestBody,
QByteArray &decryptedResponse,
const DecryptionHook &decryptionHook) = 0;
};
} // namespace amnezia::transport
#endif // IGATEWAYTRANSPORT_H

2
client/settings.cpp
View File

@@ -15,7 +15,7 @@ namespace
const char cloudFlareNs2[] = "1.0.0.1";
//constexpr char gatewayEndpoint[] = "http://localhost:80/";
constexpr char gatewayEndpoint[] = "http://127.0.0.1:80/";
constexpr char gatewayEndpoint[] = "http://localhost:80/";
}
Settings::Settings(QObject *parent) : QObject(parent), m_settings(ORGANIZATION_NAME, APPLICATION_NAME, this)

6
client/tests/CMakeLists.txt
View File

@@ -43,8 +43,9 @@ add_definitions(-DAGW_DNS_TIMEOUT_MS="$ENV{AGW_DNS_TIMEOUT_MS}")
qt_add_executable(${PROJECT_NAME}
tst_transports.cpp
${CLIENT_ROOT_DIR}/core/networkUtilities.cpp
${CLIENT_ROOT_DIR}/core/networkUtilities.h
${CLIENT_ROOT_DIR}/core/transport/dns/dnsResolver.cpp
${CLIENT_ROOT_DIR}/core/transport/dns/dnsTunnel.cpp
${CLIENT_ROOT_DIR}/core/transport/dns/dnsPacket.cpp
${QSIMPLECRYPTO_DIR}/sources/QBlockCipher.cpp
${QSIMPLECRYPTO_DIR}/sources/QRsa.cpp
${QSIMPLECRYPTO_DIR}/sources/QX509.cpp
@@ -55,6 +56,7 @@ qt_add_executable(${PROJECT_NAME}
target_include_directories(${PROJECT_NAME} PRIVATE
${CLIENT_ROOT_DIR}
${CLIENT_ROOT_DIR}/core
${CLIENT_ROOT_DIR}/core/transport
${QSIMPLECRYPTO_DIR}
${QSIMPLECRYPTO_DIR}/include
${OPENSSL_INCLUDE_DIR}

37
client/tests/tst_transports.cpp
View File

@@ -12,13 +12,16 @@
#include <QTest>
#include <QUrl>
#include "networkUtilities.h"
#include "transport/dns/dnsResolver.h"
#include "transport/dns/dnsTunnel.h"
#include "QBlockCipher.h"
#include "QRsa.h"
#include <openssl/evp.h>
#include <openssl/rsa.h>
using amnezia::transport::dns::DnsProtocol;
struct TransportResult {
QString name;
bool success = false;
@@ -32,7 +35,7 @@ struct TestConfig {
QString httpEndpoint;
struct DnsEntry {
QString name;
NetworkUtilities::DnsTransport type;
DnsProtocol type;
QString server;
QString domain;
quint16 port;
@@ -57,7 +60,7 @@ static TestConfig buildConfigFromEnv()
if (server.isEmpty() || domain.isEmpty()) return cfg;
auto addEntry = [&](NetworkUtilities::DnsTransport type, const QString &name,
auto addEntry = [&](DnsProtocol type, const QString &name,
const char *portDefine, quint16 defaultPort, const QString &dohPath = QString()) {
TestConfig::DnsEntry e;
e.type = type;
@@ -70,15 +73,15 @@ static TestConfig buildConfigFromEnv()
cfg.dnsTransports.append(e);
};
addEntry(NetworkUtilities::DnsTransport::Udp, "UDP", AGW_DNS_PORT_UDP, 5353);
addEntry(NetworkUtilities::DnsTransport::Tcp, "TCP", AGW_DNS_PORT_UDP, 5353);
addEntry(NetworkUtilities::DnsTransport::Tls, "DoT", AGW_DNS_PORT_DOT, 853);
addEntry(DnsProtocol::Udp, "UDP", AGW_DNS_PORT_UDP, 5353);
addEntry(DnsProtocol::Tcp, "TCP", AGW_DNS_PORT_UDP, 5353);
addEntry(DnsProtocol::Tls, "DoT", AGW_DNS_PORT_DOT, 853);
QString dohPath = QString(AGW_DNS_DOH_PATH);
if (dohPath.isEmpty()) dohPath = "/dns-query";
addEntry(NetworkUtilities::DnsTransport::Https, "DoH", AGW_DNS_PORT_DOH, 443, dohPath);
addEntry(DnsProtocol::Https, "DoH", AGW_DNS_PORT_DOH, 443, dohPath);
addEntry(NetworkUtilities::DnsTransport::Quic, "DoQ", AGW_DNS_PORT_DOQ, 8853);
addEntry(DnsProtocol::Quic, "DoQ", AGW_DNS_PORT_DOQ, 8853);
return cfg;
}
@@ -93,7 +96,6 @@ static QString resolveHost(const QString &host)
return host;
}
// Replicate the RSA+AES encryption from GatewayController::prepareRequest
struct EncryptedPayload {
QByteArray body;
QByteArray key;
@@ -220,11 +222,10 @@ private:
QElapsedTimer timer;
timer.start();
bool needsHostname = (entry.type == NetworkUtilities::DnsTransport::Https ||
entry.type == NetworkUtilities::DnsTransport::Tls);
bool needsHostname = (entry.type == DnsProtocol::Https || entry.type == DnsProtocol::Tls);
QString serverAddr = needsHostname ? entry.server : resolvedIp;
r.responseBody = NetworkUtilities::sendViaDnsTunnel(
r.responseBody = amnezia::transport::dns::DnsTunnel::send(
payload, "services", entry.domain,
serverAddr, entry.type, entry.port,
m_config.timeoutMs, entry.dohPath);
@@ -242,7 +243,7 @@ private slots:
m_config = buildConfigFromEnv();
QVERIFY2(!m_config.dnsTransports.isEmpty(),
"AGW_DNS_SERVER / AGW_DNS_DOMAIN not set cannot run transport tests");
"AGW_DNS_SERVER / AGW_DNS_DOMAIN not set -- cannot run transport tests");
qDebug() << "HTTP endpoint:" << m_config.httpEndpoint;
qDebug() << "DNS transports:" << m_config.dnsTransports.size();
@@ -263,8 +264,6 @@ private slots:
}
}
// ========== Transport-level tests (raw payload, no encryption) ==========
void test_transport_http()
{
QByteArray payload = R"({"test":true})";
@@ -280,7 +279,7 @@ private slots:
QTest::addColumn<int>("transportIndex");
for (int i = 0; i < m_config.dnsTransports.size(); ++i) {
const auto &e = m_config.dnsTransports[i];
if (e.type == NetworkUtilities::DnsTransport::Quic) continue;
if (e.type == DnsProtocol::Quic) continue;
QTest::newRow(qPrintable(e.name)) << i;
}
}
@@ -303,8 +302,6 @@ private slots:
}
}
// ========== E2E tests (RSA+AES encryption, full round-trip) ==========
void test_e2e_http()
{
if (!m_hasRsaKey) QSKIP("No RSA key -- skipping E2E");
@@ -339,7 +336,7 @@ private slots:
QTest::addColumn<int>("transportIndex");
for (int i = 0; i < m_config.dnsTransports.size(); ++i) {
const auto &e = m_config.dnsTransports[i];
if (e.type == NetworkUtilities::DnsTransport::Quic) continue;
if (e.type == DnsProtocol::Quic) continue;
QTest::newRow(qPrintable(QString("E2E-%1").arg(e.name))) << i;
}
}
@@ -382,8 +379,6 @@ private slots:
}
}
// ========== Summary ==========
void cleanupTestCase()
{
qDebug() << "";

4
client/ui/controllers/api/apiConfigsController.cpp
View File

@@ -749,7 +749,7 @@ bool ApiConfigsController::updateServiceFromTelegram(const int serverIndex)
gatewayController.setTransportsConfig(GatewayController::buildTransportsConfig());
ErrorCode errorCode = gatewayController.postParallel(endpoint, apiPayload, responseBody);
ErrorCode errorCode = gatewayController.post(endpoint, apiPayload, responseBody);
if (errorCode == ErrorCode::NoError) {
errorCode = fillServerConfig(serviceProtocol, protocolData, responseBody, serverConfig);
@@ -963,5 +963,5 @@ ErrorCode ApiConfigsController::executeRequest(const QString &endpoint, const QJ
gatewayController.setTransportsConfig(GatewayController::buildTransportsConfig());
return gatewayController.postParallel(endpoint, apiPayload, responseBody);
return gatewayController.post(endpoint, apiPayload, responseBody);
}

2
client/ui/controllers/api/apiNewsController.cpp
View File

@@ -55,7 +55,7 @@ void ApiNewsController::fetchNews(bool showError)
gatewayController.setTransportsConfig(GatewayController::buildTransportsConfig());
QByteArray responseBody;
ErrorCode errorCode = gatewayController.postParallel(endpoint, payload, responseBody);
ErrorCode errorCode = gatewayController.post(endpoint, payload, responseBody);
if (errorCode != ErrorCode::NoError) {
emit errorOccurred(errorCode, showError);

2
client/ui/controllers/api/apiSettingsController.cpp
View File

@@ -79,7 +79,7 @@ bool ApiSettingsController::getAccountInfo(bool reload)
gatewayController.setTransportsConfig(GatewayController::buildTransportsConfig());
ErrorCode errorCode = gatewayController.postParallel(endpoint, apiPayload, responseBody);
ErrorCode errorCode = gatewayController.post(endpoint, apiPayload, responseBody);
if (errorCode != ErrorCode::NoError) {
emit errorOccurred(errorCode);