@omindu/yaksha 1.0.0

package/src/core/protocol.js

@@ -0,0 +1,268 @@
+'use strict';
+
+/**
+ * Yaksha Protocol Handler
+ * Custom protocol for packet parsing and handling
+ */
+
+const crypto = require('crypto');
+const { globalPool } = require('../utils/buffer-pool');
+
+// Packet types
+const PACKET_TYPES = {
+  HANDSHAKE: 0x01,
+  DATA: 0x02,
+  ACK: 0x03,
+  CLOSE: 0x04,
+  KEEPALIVE: 0x05
+};
+
+// Protocol version
+const PROTOCOL_VERSION = 0x01;
+
+// Header size (fixed 16 bytes)
+const HEADER_SIZE = 16;
+
+class Protocol {
+  constructor(options = {}) {
+    this.version = PROTOCOL_VERSION;
+    this.maxPayloadSize = options.maxPayloadSize || 65535;
+    this.enablePadding = options.enablePadding !== false;
+  }
+
+  /**
+   * Create a packet header
+   * Header structure (16 bytes):
+   * - Version (1 byte)
+   * - Type (1 byte)
+   * - Length (2 bytes) - payload length
+   * - Session ID (4 bytes)
+   * - Sequence (4 bytes)
+   * - Checksum (4 bytes)
+   */
+  createHeader(type, payloadLength, sessionId, sequence) {
+    const header = globalPool.acquire(HEADER_SIZE, true);
+
+    // Version
+    header.writeUInt8(this.version, 0);
+
+    // Type
+    header.writeUInt8(type, 1);
+
+    // Length (uint16, max 65535)
+    header.writeUInt16BE(payloadLength, 2);
+
+    // Session ID (uint32)
+    header.writeUInt32BE(sessionId, 4);
+
+    // Sequence (uint32)
+    header.writeUInt32BE(sequence, 8);
+
+    // Checksum placeholder (will be filled later)
+    header.writeUInt32BE(0, 12);
+
+    return header;
+  }
+
+  /**
+   * Calculate CRC32 checksum
+   */
+  calculateChecksum(data) {
+    // Simple CRC32 implementation
+    let crc = 0xFFFFFFFF;
+    for (let i = 0; i < data.length; i++) {
+      crc ^= data[i];
+      for (let j = 0; j < 8; j++) {
+        crc = (crc >>> 1) ^ (0xEDB88320 & -(crc & 1));
+      }
+    }
+    return (crc ^ 0xFFFFFFFF) >>> 0;
+  }
+
+  /**
+   * Add random padding for traffic obfuscation
+   */
+  addPadding(data, maxPaddingSize = 255) {
+    if (!this.enablePadding) {
+      return { data, paddingSize: 0 };
+    }
+
+    const paddingSize = crypto.randomInt(0, Math.min(maxPaddingSize + 1, 256));
+    if (paddingSize === 0) {
+      return { data, paddingSize: 0 };
+    }
+
+    const padding = crypto.randomBytes(paddingSize);
+    const paddedData = Buffer.concat([data, padding]);
+
+    return { data: paddedData, paddingSize };
+  }
+
+  /**
+   * Remove padding from data
+   */
+  removePadding(data, paddingSize) {
+    if (paddingSize === 0) {
+      return data;
+    }
+    return data.slice(0, -paddingSize);
+  }
+
+  /**
+   * Serialize packet
+   */
+  serialize(type, payload, sessionId, sequence) {
+    // Add padding to payload
+    const { data: paddedPayload, paddingSize } = this.addPadding(payload);
+
+    // Create header
+    const header = this.createHeader(type, paddedPayload.length, sessionId, sequence);
+
+    // Combine header and payload
+    const packet = Buffer.concat([header, paddedPayload]);
+
+    // Calculate and update checksum (checksum covers header + payload)
+    const checksum = this.calculateChecksum(packet);
+    packet.writeUInt32BE(checksum, 12);
+
+    return { packet, paddingSize };
+  }
+
+  /**
+   * Parse packet header
+   */
+  parseHeader(buffer) {
+    if (buffer.length < HEADER_SIZE) {
+      throw new Error('Buffer too small for header');
+    }
+
+    const version = buffer.readUInt8(0);
+    const type = buffer.readUInt8(1);
+    const length = buffer.readUInt16BE(2);
+    const sessionId = buffer.readUInt32BE(4);
+    const sequence = buffer.readUInt32BE(8);
+    const checksum = buffer.readUInt32BE(12);
+
+    // Validate version
+    if (version !== this.version) {
+      throw new Error(`Unsupported protocol version: ${version}`);
+    }
+
+    // Validate type
+    if (!Object.values(PACKET_TYPES).includes(type)) {
+      throw new Error(`Invalid packet type: ${type}`);
+    }
+
+    // Validate length
+    if (length > this.maxPayloadSize) {
+      throw new Error(`Payload too large: ${length}`);
+    }
+
+    return {
+      version,
+      type,
+      length,
+      sessionId,
+      sequence,
+      checksum
+    };
+  }
+
+  /**
+   * Deserialize packet
+   */
+  deserialize(buffer, paddingSize = 0) {
+    // Parse header
+    const header = this.parseHeader(buffer);
+
+    // Check if we have complete packet
+    const expectedSize = HEADER_SIZE + header.length;
+    if (buffer.length < expectedSize) {
+      throw new Error(`Incomplete packet: expected ${expectedSize}, got ${buffer.length}`);
+    }
+
+    // Verify checksum
+    const storedChecksum = header.checksum;
+    
+    // Create a copy of packet and zero out checksum field for verification
+    const packetCopy = Buffer.from(buffer.slice(0, expectedSize));
+    packetCopy.writeUInt32BE(0, 12);
+    
+    const calculatedChecksum = this.calculateChecksum(packetCopy);
+
+    if (storedChecksum !== calculatedChecksum) {
+      throw new Error('Checksum verification failed');
+    }
+
+    // Extract payload
+    let payload = buffer.slice(HEADER_SIZE, expectedSize);
+
+    // Remove padding if present
+    payload = this.removePadding(payload, paddingSize);
+
+    return {
+      header,
+      payload,
+      totalSize: expectedSize
+    };
+  }
+
+  /**
+   * Create HANDSHAKE packet
+   */
+  createHandshake(sessionId, sequence, data) {
+    return this.serialize(PACKET_TYPES.HANDSHAKE, data, sessionId, sequence);
+  }
+
+  /**
+   * Create DATA packet
+   */
+  createData(sessionId, sequence, data) {
+    return this.serialize(PACKET_TYPES.DATA, data, sessionId, sequence);
+  }
+
+  /**
+   * Create ACK packet
+   */
+  createAck(sessionId, sequence, ackSequence) {
+    const ackBuffer = Buffer.allocUnsafe(4);
+    ackBuffer.writeUInt32BE(ackSequence, 0);
+    return this.serialize(PACKET_TYPES.ACK, ackBuffer, sessionId, sequence);
+  }
+
+  /**
+   * Create CLOSE packet
+   */
+  createClose(sessionId, sequence, reason = '') {
+    const reasonBuffer = Buffer.from(reason, 'utf8');
+    return this.serialize(PACKET_TYPES.CLOSE, reasonBuffer, sessionId, sequence);
+  }
+
+  /**
+   * Create KEEPALIVE packet
+   */
+  createKeepalive(sessionId, sequence) {
+    const timestamp = Buffer.allocUnsafe(8);
+    timestamp.writeBigUInt64BE(BigInt(Date.now()), 0);
+    return this.serialize(PACKET_TYPES.KEEPALIVE, timestamp, sessionId, sequence);
+  }
+
+  /**
+   * Get packet type name
+   */
+  getTypeName(type) {
+    const typeNames = {
+      [PACKET_TYPES.HANDSHAKE]: 'HANDSHAKE',
+      [PACKET_TYPES.DATA]: 'DATA',
+      [PACKET_TYPES.ACK]: 'ACK',
+      [PACKET_TYPES.CLOSE]: 'CLOSE',
+      [PACKET_TYPES.KEEPALIVE]: 'KEEPALIVE'
+    };
+    return typeNames[type] || 'UNKNOWN';
+  }
+}
+
+module.exports = Protocol;
+module.exports.PACKET_TYPES = PACKET_TYPES;
+module.exports.HEADER_SIZE = HEADER_SIZE;
+module.exports.PROTOCOL_VERSION = PROTOCOL_VERSION;

package/src/features/dns-override.js

@@ -0,0 +1,403 @@
+'use strict';
+
+/**
+ * Yaksha DNS Override and Tunneling
+ * Prevent DNS leaks by tunneling all DNS queries through VPN
+ */
+
+const dns = require('dns');
+const dgram = require('dgram');
+const EventEmitter = require('events');
+const Logger = require('../utils/logger');
+
+// DNS providers
+const DNS_PROVIDERS = {
+  CLOUDFLARE: { primary: '1.1.1.1', secondary: '1.0.0.1', doh: 'https://cloudflare-dns.com/dns-query' },
+  GOOGLE: { primary: '8.8.8.8', secondary: '8.8.4.4', doh: 'https://dns.google/dns-query' },
+  QUAD9: { primary: '9.9.9.9', secondary: '149.112.112.112', doh: 'https://dns.quad9.net/dns-query' },
+  OPENDNS: { primary: '208.67.222.222', secondary: '208.67.220.220' }
+};
+
+class DNSOverride extends EventEmitter {
+  constructor(securityLevel = 'medium', options = {}) {
+    super();
+    
+    this.securityLevel = securityLevel;
+    this.mode = this._selectMode(securityLevel);
+    this.provider = options.provider || 'CLOUDFLARE';
+    this.customResolver = options.customResolver || null;
+    this.enabled = options.enabled !== false;
+    this.cacheTTL = options.cacheTTL || 300000; // 5 minutes
+    
+    this.cache = new Map(); // domain -> { records, timestamp }
+    this.logger = new Logger({ prefix: 'DNS' });
+  }
+
+  /**
+   * Select DNS mode based on security level
+   */
+  _selectMode(level) {
+    switch (level) {
+      case 'low':
+        return 'override';
+      case 'medium':
+        return 'doh';
+      case 'high':
+        return 'dot-dnssec';
+      default:
+        return 'doh';
+    }
+  }
+
+  /**
+   * Get DNS provider configuration
+   */
+  _getProvider() {
+    if (this.customResolver) {
+      return this.customResolver;
+    }
+
+    return DNS_PROVIDERS[this.provider] || DNS_PROVIDERS.CLOUDFLARE;
+  }
+
+  /**
+   * Check DNS cache
+   */
+  _checkCache(domain) {
+    if (!this.cache.has(domain)) {
+      return null;
+    }
+
+    const cached = this.cache.get(domain);
+    const now = Date.now();
+
+    // Check if cache expired
+    if (now - cached.timestamp > this.cacheTTL) {
+      this.cache.delete(domain);
+      return null;
+    }
+
+    return cached.records;
+  }
+
+  /**
+   * Update DNS cache
+   */
+  _updateCache(domain, records) {
+    this.cache.set(domain, {
+      records,
+      timestamp: Date.now()
+    });
+  }
+
+  /**
+   * Basic DNS override (replace system DNS)
+   */
+  async _resolveOverride(domain, type = 'A') {
+    const provider = this._getProvider();
+    
+    return new Promise((resolve, reject) => {
+      const resolver = new dns.Resolver();
+      resolver.setServers([provider.primary, provider.secondary]);
+
+      const method = type === 'A' ? 'resolve4' : 
+                    type === 'AAAA' ? 'resolve6' :
+                    type === 'MX' ? 'resolveMx' :
+                    type === 'TXT' ? 'resolveTxt' :
+                    'resolve4';
+
+      resolver[method](domain, (error, records) => {
+        if (error) {
+          reject(error);
+        } else {
+          resolve(records);
+        }
+      });
+    });
+  }
+
+  /**
+   * DNS over HTTPS (DoH)
+   */
+  async _resolveDoH(domain, type = 'A') {
+    const provider = this._getProvider();
+    
+    if (!provider.doh) {
+      throw new Error('Provider does not support DoH');
+    }
+
+    const https = require('https');
+    const url = `${provider.doh}?name=${encodeURIComponent(domain)}&type=${type}`;
+
+    return new Promise((resolve, reject) => {
+      https.get(url, {
+        headers: {
+          'Accept': 'application/dns-json'
+        }
+      }, (res) => {
+        let data = '';
+
+        res.on('data', chunk => {
+          data += chunk;
+        });
+
+        res.on('end', () => {
+          try {
+            const response = JSON.parse(data);
+            
+            if (response.Status !== 0) {
+              reject(new Error(`DNS query failed: ${response.Status}`));
+              return;
+            }
+
+            const records = response.Answer
+              ? response.Answer.map(answer => answer.data)
+              : [];
+
+            resolve(records);
+          } catch (error) {
+            reject(error);
+          }
+        });
+      }).on('error', reject);
+    });
+  }
+
+  /**
+   * DNS over TLS (DoT) with DNSSEC
+   */
+  async _resolveDoT(domain, type = 'A') {
+    // Simplified DoT implementation
+    // In production, use a proper DoT library
+    
+    const tls = require('tls');
+    const provider = this._getProvider();
+
+    return new Promise((resolve, reject) => {
+      const socket = tls.connect({
+        host: provider.primary,
+        port: 853,
+        servername: provider.primary
+      }, () => {
+        // Build DNS query packet (simplified)
+        // In production, use proper DNS packet formatting
+        
+        const query = Buffer.from([
+          0x00, 0x1c, // Length
+          0xaa, 0xaa, // Transaction ID
+          0x01, 0x00, // Flags: standard query
+          0x00, 0x01, // Questions: 1
+          0x00, 0x00, // Answer RRs
+          0x00, 0x00, // Authority RRs
+          0x00, 0x00, // Additional RRs
+          // Question section would follow
+        ]);
+
+        socket.write(query);
+      });
+
+      socket.on('data', (data) => {
+        // Parse DNS response (simplified)
+        // For this implementation, fall back to DoH
+        socket.end();
+        resolve(this._resolveDoH(domain, type));
+      });
+
+      socket.on('error', reject);
+      
+      socket.setTimeout(5000);
+      socket.on('timeout', () => {
+        socket.destroy();
+        reject(new Error('DNS query timeout'));
+      });
+    });
+  }
+
+  /**
+   * Resolve domain name
+   */
+  async resolve(domain, type = 'A') {
+    if (!this.enabled) {
+      // Use system DNS
+      return new Promise((resolve, reject) => {
+        dns.resolve(domain, type, (error, records) => {
+          if (error) reject(error);
+          else resolve(records);
+        });
+      });
+    }
+
+    // Check cache
+    const cacheKey = `${domain}:${type}`;
+    const cached = this._checkCache(cacheKey);
+    
+    if (cached) {
+      this.logger.debug(`DNS cache hit for ${domain}`);
+      return cached;
+    }
+
+    this.logger.debug(`Resolving ${domain} (${type}) via ${this.mode}`);
+
+    try {
+      let records;
+
+      switch (this.mode) {
+        case 'override':
+          records = await this._resolveOverride(domain, type);
+          break;
+
+        case 'doh':
+          records = await this._resolveDoH(domain, type);
+          break;
+
+        case 'dot-dnssec':
+          records = await this._resolveDoT(domain, type);
+          break;
+
+        default:
+          records = await this._resolveDoH(domain, type);
+      }
+
+      // Update cache
+      this._updateCache(cacheKey, records);
+
+      this.emit('resolved', domain, type, records);
+      return records;
+
+    } catch (error) {
+      this.logger.error(`DNS resolution failed for ${domain}:`, error.message);
+      this.emit('error', domain, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Reverse DNS lookup
+   */
+  async reverse(ip) {
+    if (!this.enabled) {
+      return new Promise((resolve, reject) => {
+        dns.reverse(ip, (error, hostnames) => {
+          if (error) reject(error);
+          else resolve(hostnames);
+        });
+      });
+    }
+
+    // Check cache
+    const cached = this._checkCache(`reverse:${ip}`);
+    if (cached) {
+      return cached;
+    }
+
+    try {
+      const hostnames = await this._resolveDoH(ip, 'PTR');
+      this._updateCache(`reverse:${ip}`, hostnames);
+      return hostnames;
+    } catch (error) {
+      this.logger.error(`Reverse DNS lookup failed for ${ip}:`, error.message);
+      throw error;
+    }
+  }
+
+  /**
+   * Lookup (resolve A or AAAA records)
+   */
+  async lookup(domain, options = {}) {
+    const family = options.family || 4;
+    const type = family === 6 ? 'AAAA' : 'A';
+
+    try {
+      const records = await this.resolve(domain, type);
+      
+      if (records.length === 0) {
+        throw new Error(`No ${type} records found for ${domain}`);
+      }
+
+      // Return first record
+      return {
+        address: records[0],
+        family
+      };
+    } catch (error) {
+      if (family === 4) {
+        // Try IPv6 as fallback
+        try {
+          const ipv6Records = await this.resolve(domain, 'AAAA');
+          if (ipv6Records.length > 0) {
+            return {
+              address: ipv6Records[0],
+              family: 6
+            };
+          }
+        } catch (ipv6Error) {
+          // Ignore IPv6 error
+        }
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Clear DNS cache
+   */
+  clearCache() {
+    this.cache.clear();
+    this.logger.info('DNS cache cleared');
+  }
+
+  /**
+   * Get cache statistics
+   */
+  getCacheStats() {
+    const now = Date.now();
+    let valid = 0;
+    let expired = 0;
+
+    for (const [key, entry] of this.cache.entries()) {
+      if (now - entry.timestamp > this.cacheTTL) {
+        expired++;
+      } else {
+        valid++;
+      }
+    }
+
+    return {
+      total: this.cache.size,
+      valid,
+      expired,
+      ttl: this.cacheTTL
+    };
+  }
+
+  /**
+   * Enable DNS override
+   */
+  enable() {
+    this.enabled = true;
+    this.logger.info('DNS override enabled');
+  }
+
+  /**
+   * Disable DNS override
+   */
+  disable() {
+    this.enabled = false;
+    this.logger.info('DNS override disabled');
+  }
+
+  /**
+   * Get statistics
+   */
+  getStats() {
+    return {
+      enabled: this.enabled,
+      mode: this.mode,
+      provider: this.provider,
+      cache: this.getCacheStats()
+    };
+  }
+}
+
+module.exports = DNSOverride;
+module.exports.DNS_PROVIDERS = DNS_PROVIDERS;