multi: Added Tor support

This commit adds Tor support. Users can set the --TorSocks flag to specify which port Tor's SOCKS5 proxy is listening on so that lnd can connect to it. When this flag is set, ALL traffic gets routed over Tor including DNS traffic. Special functions for DNS lookups were added, and since Tor doesn't natively support SRV requests, the proxySRV function routes connects us to a DNS server via Tor and SRV requests can be issued directly to the DNS server. Co-authored-by: MeshCollider <dobsonsa68@gmail.com>
ProofOfKeags · Feb 6, 2018 · e2142c7 · e2142c7
1 parent 1874183
commit e2142c7
Show file tree

Hide file tree

Showing 8 changed files with 314 additions and 27 deletions.
diff --git a/brontide/conn.go b/brontide/conn.go
@@ -32,9 +32,19 @@ var _ net.Conn = (*Conn)(nil)
 // remote peer located at address which has remotePub as its long-term static
 // public key. In the case of a handshake failure, the connection is closed and
 // a non-nil error is returned.
-func Dial(localPriv *btcec.PrivateKey, netAddr *lnwire.NetAddress) (*Conn, error) {
+func Dial(localPriv *btcec.PrivateKey, netAddr *lnwire.NetAddress,
+	dialer ...func(string, string) (net.Conn, error)) (*Conn, error) {
 	ipAddr := netAddr.Address.String()
-	conn, err := net.Dial("tcp", ipAddr)
+	var conn net.Conn
+	var err error
+	if dialer == nil {
+		// A Tor proxy dial function WAS NOT passed in.
+		conn, err = net.Dial("tcp", ipAddr)
+	} else {
+		// A Tor proxy dial function WAS passed in so we use it instead
+		// of golang's net.Dial.
+		conn, err = dialer[0]("tcp", ipAddr)
+	}
 	if err != nil {
 		return nil, err
 	}

diff --git a/brontide/listener.go b/brontide/listener.go
@@ -24,6 +24,8 @@ var _ net.Listener = (*Listener)(nil)
 
 // NewListener returns a new net.Listener which enforces the Brontide scheme
 // during both initial connection establishment and data transfer.
+// Note: though this function uses ResolveTCPAddr, we don't need to call the
+// general lndResolveTCP function since we are resolving a local address.
 func NewListener(localStatic *btcec.PrivateKey, listenAddr string) (*Listener,
 	error) {
 	addr, err := net.ResolveTCPAddr("tcp", listenAddr)

diff --git a/channeldb/channel.go b/channeldb/channel.go
@@ -65,6 +65,12 @@ var (
 	// channel closure. This key should be accessed from within the
 	// sub-bucket of a target channel, identified by its channel point.
 	revocationLogBucket = []byte("revocation-log-key")
+
+	// resolveTCP is a resolver that is used to resolve nodes'
+	// publicly advertised addresses. It is set to net.ResolveTCPAddr
+	// initially, but the SetResolver function can be used to change this
+	// to a Tor-specific resolver.
+	resolveTCP = net.ResolveTCPAddr
 )
 
 var (
@@ -389,6 +395,12 @@ type OpenChannel struct {
 	sync.RWMutex
 }
 
+// SetResolver sets resolveTCP to a resolver other than the default
+// net.ResolveTCPAddr resolver function.
+func SetResolver(resolver func(string, string) (*net.TCPAddr, error)) {
+	resolveTCP = resolver
+}
+
 // FullSync serializes, and writes to disk the *full* channel state, using
 // both the active channel bucket to store the prefixed column fields, and the
 // remote node's ID to store the remainder of the channel state.

diff --git a/channeldb/nodes.go b/channeldb/nodes.go
@@ -275,7 +275,10 @@ func deserializeLinkNode(r io.Reader) (*LinkNode, error) {
 			return nil, err
 		}
 
-		addr, err := net.ResolveTCPAddr("tcp", addrString)
+		// We use the general resolveTCP function in case a separate
+		// resolver was specified in the SetResolver function. By
+		// default resolveTCP = net.ResolveTCPAddr.
+		addr, err := resolveTCP("tcp", addrString)
 		if err != nil {
 			return nil, err
 		}

diff --git a/config.go b/config.go
@@ -17,11 +17,15 @@ import (
 	"strings"
 	"time"
 
+	"github.com/btcsuite/btcd/connmgr"
 	flags "github.com/jessevdk/go-flags"
+	"github.com/btcsuite/go-socks/socks"
 	"github.com/lightningnetwork/lnd/brontide"
 	"github.com/lightningnetwork/lnd/lnwire"
+	"github.com/miekg/dns"
 	"github.com/roasbeef/btcd/btcec"
 	"github.com/roasbeef/btcutil"
+	"golang.org/x/net/proxy"
 )
 
 const (
@@ -158,7 +162,8 @@ type config struct {
 
 	CPUProfile string `long:"cpuprofile" description:"Write CPU profile to the specified file"`
 
-	Profile string `long:"profile" description:"Enable HTTP profiling on given port -- NOTE port must be between 1024 and 65536"`
+	Profile  string `long:"profile" description:"Enable HTTP profiling on given port -- NOTE port must be between 1024 and 65535"`
+	TorSocks string `long:"torsocks" description:"The port that Tor's exposed SOCKS5 proxy is listening on -- NOTE port must be between 1024 and 65535"`
 
 	DebugHTLC          bool `long:"debughtlc" description:"Activate the debug htlc mode. With the debug HTLC mode, all payments sent use a pre-determined R-Hash. Additionally, all HTLCs sent to a node with the debug HTLC R-Hash are immediately settled in the next available state transition."`
 	HodlHTLC           bool `long:"hodlhtlc" description:"Activate the hodl HTLC mode.  With hodl HTLC mode, all incoming HTLCs will be accepted by the receiving node, but no attempt will be made to settle the payment with the sender."`
@@ -182,6 +187,12 @@ type config struct {
 
 	Alias string `long:"alias" description:"The node alias. Used as a moniker by peers and intelligence services"`
 	Color string `long:"color" description:"The color of the node in hex format (i.e. '#3399FF'). Used to customize node appearance in intelligence services"`
+
+	dial       func(string, string) (net.Conn, error)
+	lookup     func(string) ([]string, error)
+	lookupSRV  func(string, string, string) (string, []*net.SRV, error)
+	resolveTCP func(string, string) (*net.TCPAddr, error)
+	// TODO(eugene) - onionDial & related onion functions
 }
 
 // loadConfig initializes and parses the config using a config file and command
@@ -286,6 +297,83 @@ func loadConfig() (*config, error) {
 		return nil, err
 	}
 
+	// Setup dial and DNS resolution (lookup, lookupSRV, resolveTCP) functions
+	// depending on the specified options. The default is to use the standard
+	// golang "net" package functions. When Tor's proxy is specified, the dial
+	// function is set to the proxy specific dial function and the DNS
+	// resolution functions use Tor.
+	cfg.lookup = net.LookupHost
+	cfg.lookupSRV = net.LookupSRV
+	cfg.resolveTCP = net.ResolveTCPAddr
+	if cfg.TorSocks != "" {
+		// Validate Tor port number
+		torport, err := strconv.Atoi(cfg.TorSocks)
+		if err != nil || torport < 1024 || torport > 65535 {
+			str := "%s: The tor socks5 port must be between 1024 and 65535"
+			err := fmt.Errorf(str, funcName)
+			fmt.Fprintln(os.Stderr, err)
+			fmt.Fprintln(os.Stderr, usageMessage)
+			return nil, err
+		}
+
+		proxyAddr := "127.0.0.1:" + cfg.TorSocks
+
+		// If ExternalIPs is set, throw an error since we cannot
+		// listen for incoming connections via Tor's SOCKS5 proxy.
+		if len(cfg.ExternalIPs) != 0 {
+			str := "%s: Cannot set externalip flag with proxy flag - " +
+				"cannot listen for incoming connections via Tor's " +
+				"socks5 proxy"
+			err := fmt.Errorf(str, funcName)
+			return nil, err
+		}
+
+		// We use go-socks for the dialer that actually connects to peers
+		// since it preserves the connection information in a *ProxiedAddr
+		// struct. golang's proxy package abstracts this away and is
+		// therefore unsuitable.
+		p := &socks.Proxy{
+			Addr: proxyAddr,
+		}
+		cfg.dial = p.Dial
+
+		// If we are using Tor, since we only want connections routed
+		// through Tor, listening is disabled.
+		cfg.DisableListen = true
+
+		dialer, err := proxy.SOCKS5(
+			"tcp",
+			proxyAddr,
+			nil,
+			proxy.Direct,
+		)
+		if err != nil {
+			str := "%s: Unable to set up SRV dialer: %v"
+			err := fmt.Errorf(str, funcName, err)
+			return nil, err
+		}
+
+		// Perform all DNS resolution through the Tor proxy. We set the
+		// lookup, lookupSRV, & resolveTCP functions here.
+		cfg.lookup = func(host string) ([]string, error) {
+			return proxyLookup(host, proxyAddr)
+		}
+
+		// lookupSRV uses golang's proxy package since go-socks will
+		// cause the SRV request to hang.
+		cfg.lookupSRV = func(service, proto, name string) (cname string,
+			addrs []*net.SRV, err error) {
+			return proxySRV(dialer, service, proto, name)
+		}
+
+		// resolveTCP uses TCP over Tor to resolve TCP addresses and
+		// returns a pointer to a net.TCPAddr struct in the same manner
+		// that the net.ResolveTCPAddr function does.
+		cfg.resolveTCP = func(network, address string) (*net.TCPAddr, error) {
+			return proxyTCP(address, cfg.lookup)
+		}
+	}
+
 	switch {
 	// At this moment, multiple active chains are not supported.
 	case cfg.Litecoin.Active && cfg.Bitcoin.Active:
@@ -627,10 +715,136 @@ func supportedSubsystems() []string {
 func noiseDial(idPriv *btcec.PrivateKey) func(net.Addr) (net.Conn, error) {
 	return func(a net.Addr) (net.Conn, error) {
 		lnAddr := a.(*lnwire.NetAddress)
-		return brontide.Dial(idPriv, lnAddr)
+		if cfg.dial == nil {
+			return brontide.Dial(idPriv, lnAddr)
+		}
+		return brontide.Dial(idPriv, lnAddr, cfg.dial)
 	}
 }
 
+// lndLookup resolves the IP address of a given host using the correct DNS
+// function depending on the lookup configuration options. Lookup can be done
+// via golang's system resolver or via Tor. When Tor is used, only IPv4
+// addresses are returned.
+func lndLookup(host string) ([]string, error) {
+	return cfg.lookup(host)
+}
+
+// lndLookupSRV queries a DNS server with SRV requests depending on the
+// configuration options. SRV queries can be done via golang's system
+// resolver or through (but not by!) Tor.
+func lndLookupSRV(service, proto, name string) (string, []*net.SRV, error) {
+	return cfg.lookupSRV(service, proto, name)
+}
+
+// lndResolveTCP resolves TCP addresses into type *net.TCPAddr. Depending on
+// configuration options, this resolution can be done via golang's system
+// resolver or via Tor.
+func lndResolveTCP(network, address string) (*net.TCPAddr, error) {
+	return cfg.resolveTCP(network, address)
+}
+
+// proxyLookup uses Tor to resolve DNS via the SOCKS extension they provide for
+// resolution over the Tor network. Only IPV4 is supported. Unlike btcd's
+// TorLookupIP function, however, this function returns a ([]string, error)
+// tuple.
+func proxyLookup(host string, proxy string) ([]string, error) {
+	ip, err := connmgr.TorLookupIP(host, proxy)
+	if err != nil {
+		return nil, err
+	}
+
+	var addrs []string
+	// Only one IPv4 address is returned by the TorLookupIP function.
+	addrs = append(addrs, ip[0].String())
+	return addrs, nil
+}
+
+// proxyTCP uses Tor's proxy to resolve tcp addresses instead of the system resolver
+// that ResolveTCPAddr and related functions use. This resolver only queries DNS
+// servers in the case a hostname is passed in the address parameter. Only TCP
+// resolution is supported.
+func proxyTCP(address string, lookupFn func(string) ([]string, error)) (*net.TCPAddr, error) {
+	// Split host:port since the lookup function does not take a port.
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, err
+	}
+
+	// Look up the host's IP address via Tor.
+	ip, err := lookupFn(host)
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert port to an int
+	p, err := strconv.Atoi(port)
+	if err != nil {
+		return nil, err
+	}
+
+	// Return a pointer to a net.TCPAddr struct exactly like ResolveTCPAddr.
+	return &net.TCPAddr{
+		IP:   net.ParseIP(ip[0]),
+		Port: p,
+	}, nil
+}
+
+// proxySRV uses Tor's proxy to route DNS SRV requests. Tor does not support
+// SRV queries. Therefore, we must route all SRV requests THROUGH the Tor proxy
+// and connect directly to a DNS server and query it. Note: the DNS server must
+// be a Lightning DNS server that follows the BOLT#10 specification.
+func proxySRV(dialer proxy.Dialer, service, proto, name string) (string, []*net.SRV, error) {
+
+	// _service._proto.name as described in RFC#2782.
+	host := "_" + service + "._" + proto + "." + name + "."
+
+	// Dial Eugene's lseed.
+	conn, err := dialer.Dial("tcp", "108.26.210.110:8053")
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Construct the actual SRV request.
+	msg := new(dns.Msg)
+	msg.SetQuestion(host, dns.TypeSRV)
+	msg.RecursionDesired = true
+
+	dnsConn := &dns.Conn{
+		Conn: conn,
+	}
+	defer dnsConn.Close()
+
+	// Write the SRV request
+	dnsConn.WriteMsg(msg)
+
+	// Read the response
+	resp, err := dnsConn.ReadMsg()
+	if err != nil {
+		return "", nil, err
+	}
+
+	if resp.Rcode != dns.RcodeSuccess {
+		// TODO(eugene) - table of Rcode fmt.Errors
+		return "", nil, fmt.Errorf("Unsuccessful SRV request, received: %d",
+			resp.Rcode)
+	}
+
+	// Retrieve the RR(s) of the Answer section.
+	var rrs []*net.SRV
+	for _, rr := range resp.Answer {
+		srv := rr.(*dns.SRV)
+		rrs = append(rrs, &net.SRV{
+			Target:   srv.Target,
+			Port:     srv.Port,
+			Priority: srv.Priority,
+			Weight:   srv.Weight,
+		})
+	}
+
+	return "", rrs, nil
+}
+
 func parseRPCParams(cConfig *chainConfig, nodeConfig interface{}, net chainCode,
 	funcName string) error {
 	// If the configuration has already set the RPCUser and RPCPass, and

diff --git a/discovery/bootstrapper.go b/discovery/bootstrapper.go
@@ -247,6 +247,7 @@ type DNSSeedBootstrapper struct {
 	// receive the IP address of the current authoritative DNS server for
 	// the network seed.
 	dnsSeeds [][2]string
+	lookupFns []interface{}
 }
 
 // A compile time assertion to ensure that DNSSeedBootstrapper meets the
@@ -260,12 +261,10 @@ var _ NetworkPeerBootstrapper = (*ChannelGraphBootstrapper)(nil)
 // used as a fallback for manual TCP resolution in the case of an error
 // receiving the UDP response. The second host should return a single A record
 // with the IP address of the authoritative name server.
-//
-// TODO(roasbeef): add a lookUpFunc param to pass in, so can divert queries
-// over Tor in future
-func NewDNSSeedBootstrapper(seeds [][2]string) (NetworkPeerBootstrapper, error) {
+func NewDNSSeedBootstrapper(seeds [][2]string, lookupFns []interface{}) (NetworkPeerBootstrapper, error) {
 	return &DNSSeedBootstrapper{
-		dnsSeeds: seeds,
+		dnsSeeds:  seeds,
+		lookupFns: lookupFns,
 	}, nil
 }
 
@@ -349,9 +348,10 @@ search:
 		for _, dnsSeedTuple := range d.dnsSeeds {
 			// We'll first query the seed with an SRV record so we
 			// can obtain a random sample of the encoded public
-			// keys of nodes.
+			// keys of nodes. We use the lndLookupSRV function for
+			// this task.
 			primarySeed := dnsSeedTuple[0]
-			_, addrs, err := net.LookupSRV("nodes", "tcp", primarySeed)
+			_, addrs, err := d.lookupFns[1].(func(string, string, string) (string, []*net.SRV, error))("nodes", "tcp", primarySeed)
 			if err != nil {
 				log.Tracef("Unable to lookup SRV records via " +
 					"primary seed, falling back to secondary")
@@ -387,9 +387,10 @@ search:
 				// With the SRV target obtained, we'll now
 				// perform another query to obtain the IP
 				// address for the matching bech32 encoded node
-				// key.
+				// key. We use the lndLookup function for this
+				// task.
 				bechNodeHost := nodeSrv.Target
-				addrs, err := net.LookupHost(bechNodeHost)
+				addrs, err := d.lookupFns[0].(func(string) ([]string, error))(bechNodeHost)
 				if err != nil {
 					return nil, err
 				}
@@ -441,7 +442,9 @@ search:
 
 				// Finally we'll convert the host:port peer to
 				// a proper TCP address to use within the
-				// lnwire.NetAddress.
+				// lnwire.NetAddress. We don't need to use
+				// the lndResolveTCP function here because we
+				// already have the host:port peer.
 				addr := net.JoinHostPort(addrs[0],
 					strconv.FormatUint(uint64(nodeSrv.Port), 10))
 				tcpAddr, err := net.ResolveTCPAddr("tcp", addr)