Add DNS(SEC) query and proof messages and onion message handler

TheBlueMatt · TheBlueMatt · commit e2cd09583320 · 2024-07-15T19:19:19.000Z
This creates the initial DNSSEC proof and query messages in a new
module in `onion_message`, as well as a new message handler to
handle them.

In the coming commits, a default implementation will be added which
verifies DNSSEC proofs which can be used to resolve BIP 353 URIs
without relying on anything outside of the lightning network.
diff --git a/lightning/Cargo.toml b/lightning/Cargo.toml
@@ -43,6 +43,8 @@ default = ["std", "grind_signatures"]
 bech32 = { version = "0.9.1", default-features = false }
 bitcoin = { version = "0.31.2", default-features = false, features = ["secp-recovery"] }
 
+dnssec-prover = { version = "0.6", default-features = false }
+
 hashbrown = { version = "0.13", optional = true, default-features = false }
 possiblyrandom = { version = "0.2", optional = true, default-features = false }
 hex = { package = "hex-conservative", version = "0.1.1", default-features = false }
diff --git a/lightning/src/onion_message/dns_resolution.rs b/lightning/src/onion_message/dns_resolution.rs
@@ -0,0 +1,160 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+//! This module defines message handling for DNSSEC proof fetching using [bLIP 32].
+//!
+//! It contains [`DNSResolverMessage`]s as well as a [`DNSResolverMessageHandler`] trait to handle
+//! such messages using an [`OnionMessenger`].
+//!
+//! [bLIP 32]: https://github.com/lightning/blips/blob/master/blip-0032.md
+//! [`OnionMessenger`]: super::messenger::OnionMessenger
+
+use dnssec_prover::rr::Name;
+
+use crate::io;
+use crate::ln::msgs::DecodeError;
+use crate::onion_message::messenger::{PendingOnionMessage, Responder, ResponseInstruction};
+use crate::onion_message::packet::OnionMessageContents;
+use crate::prelude::*;
+use crate::util::ser::{Readable, ReadableArgs, Writeable, Writer};
+
+/// A handler for an [`OnionMessage`] containing a DNS(SEC) query or a DNSSEC proof
+///
+/// [`OnionMessage`]: crate::ln::msgs::OnionMessage
+pub trait DNSResolverMessageHandler {
+	/// Handle a [`DNSSECQuery`] message.
+	///
+	/// If we provide DNS resolution services to third parties, we should respond with a
+	/// [`DNSSECProof`] message.
+	fn dnssec_query(
+		&self, message: DNSSECQuery, responder: Option<Responder>,
+	) -> ResponseInstruction<DNSResolverMessage>;
+
+	/// Handle a [`DNSSECProof`] message (in response to a [`DNSSECQuery`] we presumably sent).
+	///
+	/// With this, we should be able to validate the DNS record we requested.
+	fn dnssec_proof(&self, message: DNSSECProof);
+
+	/// Release any [`DNSResolverMessage`]s that need to be sent.
+	#[cfg(not(c_bindings))]
+	fn release_pending_messages(&self) -> Vec<PendingOnionMessage<DNSResolverMessage>> {
+		vec![]
+	}
+
+	/// Release any [`DNSResolverMessage`]s that need to be sent.
+	#[cfg(c_bindings)]
+	fn release_pending_messages(
+		&self,
+	) -> Vec<(
+		DNSResolverMessage,
+		crate::onion_message::messenger::Destination,
+		Option<crate::blinded_path::BlindedPath>,
+	)> {
+		vec![]
+	}
+}
+
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
+/// An enum containing the possible onion messages which are used uses to request and recieve
+/// DNSSEC proofs.
+pub enum DNSResolverMessage {
+	/// A query requesting a DNSSEC proof
+	DNSSECQuery(DNSSECQuery),
+	/// A response containing a DNSSEC proof
+	DNSSECProof(DNSSECProof),
+}
+
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
+/// A message which is sent to a DNSSEC prover requesting a DNSSEC proof for the given name.
+pub struct DNSSECQuery(pub Name);
+const DNSSEC_QUERY_TYPE: u64 = 65536;
+
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
+/// A message which is sent in response to [`DNSSECQuery`] containing a DNSSEC proof.
+pub struct DNSSECProof {
+	/// The name which the query was for. The proof may not contain a DNS RR for exactly this name
+	/// if it contains a wildcard RR which contains this name instead.
+	pub name: Name,
+	/// The RFC 9102-formatted DNSSEC proof.
+	pub proof: Vec<u8>,
+}
+const DNSSEC_PROOF_TYPE: u64 = 65538;
+
+impl DNSResolverMessage {
+	/// Returns whether `tlv_type` corresponds to a TLV record for DNS Resolvers.
+	pub fn is_known_type(tlv_type: u64) -> bool {
+		match tlv_type {
+			DNSSEC_QUERY_TYPE | DNSSEC_PROOF_TYPE => true,
+			_ => false,
+		}
+	}
+}
+
+impl Writeable for DNSResolverMessage {
+	fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
+		match self {
+			Self::DNSSECQuery(DNSSECQuery(q)) => {
+				(q.as_str().len() as u8).write(w)?;
+				w.write_all(&q.as_str().as_bytes())
+			},
+			Self::DNSSECProof(DNSSECProof { name, proof }) => {
+				(name.as_str().len() as u8).write(w)?;
+				w.write_all(&name.as_str().as_bytes())?;
+				proof.write(w)
+			},
+		}
+	}
+}
+
+fn read_byte_len_ascii_string<R: io::Read>(buffer: &mut R) -> Result<String, DecodeError> {
+	let len: u8 = Readable::read(buffer)?;
+	let mut bytes = [0; 255];
+	buffer.read_exact(&mut bytes[..len as usize])?;
+	if bytes[..len as usize].iter().any(|b| *b < 0x20 || *b > 0x7e) {
+		// If the bytes are not entirely in the printable ASCII range, fail
+		return Err(DecodeError::InvalidValue);
+	}
+	let s =
+		String::from_utf8(bytes[..len as usize].to_vec()).map_err(|_| DecodeError::InvalidValue)?;
+	Ok(s)
+}
+
+impl ReadableArgs<u64> for DNSResolverMessage {
+	fn read<R: io::Read>(r: &mut R, message_type: u64) -> Result<Self, DecodeError> {
+		match message_type {
+			DNSSEC_QUERY_TYPE => {
+				let s = read_byte_len_ascii_string(r)?;
+				let name = s.try_into().map_err(|_| DecodeError::InvalidValue)?;
+				Ok(DNSResolverMessage::DNSSECQuery(DNSSECQuery(name)))
+			},
+			DNSSEC_PROOF_TYPE => {
+				let s = read_byte_len_ascii_string(r)?;
+				let name = s.try_into().map_err(|_| DecodeError::InvalidValue)?;
+				let proof = Readable::read(r)?;
+				Ok(DNSResolverMessage::DNSSECProof(DNSSECProof { name, proof }))
+			},
+			_ => Err(DecodeError::InvalidValue),
+		}
+	}
+}
+
+impl OnionMessageContents for DNSResolverMessage {
+	fn msg_type(&self) -> &'static str {
+		match self {
+			DNSResolverMessage::DNSSECQuery(_) => "DNS(SEC) Query",
+			DNSResolverMessage::DNSSECProof(_) => "DNSSEC Proof",
+		}
+	}
+	fn tlv_type(&self) -> u64 {
+		match self {
+			DNSResolverMessage::DNSSECQuery(_) => DNSSEC_QUERY_TYPE,
+			DNSResolverMessage::DNSSECProof(_) => DNSSEC_PROOF_TYPE,
+		}
+	}
+}
diff --git a/lightning/src/onion_message/mod.rs b/lightning/src/onion_message/mod.rs
@@ -22,6 +22,7 @@
 //! [`OnionMessenger`]: self::messenger::OnionMessenger
 
 pub mod async_payments;
+pub mod dns_resolution;
 pub mod messenger;
 pub mod offers;
 pub mod packet;
