made DNSEC hostname validation opt-in

This commit is contained in:
Daniel Gultsch 2017-07-10 09:59:25 +02:00
parent da00a58902
commit abf84e065d
5 changed files with 33 additions and 12 deletions

View file

@ -986,7 +986,7 @@ public class XmppConnectionService extends Service {
public void onCreate() {
ExceptionHelper.init(getApplicationContext());
PRNGFixes.apply();
Resolver.registerLookupMechanism(this);
Resolver.registerXmppConnectionService(this);
this.mRandom = new SecureRandom();
updateMemorizingTrustmanager();
final int maxMemory = (int) (Runtime.getRuntime().maxMemory() / 1024);

View file

@ -24,14 +24,23 @@ import de.measite.minidns.record.Data;
import de.measite.minidns.record.InternetAddressRR;
import de.measite.minidns.record.SRV;
import eu.siacs.conversations.Config;
import eu.siacs.conversations.R;
import eu.siacs.conversations.services.XmppConnectionService;
public class Resolver {
private static final String DIRECT_TLS_SERVICE = "_xmpps-client";
private static final String STARTTLS_SERICE = "_xmpp-client";
private static XmppConnectionService SERVICE = null;
public static void registerLookupMechanism(Context context) {
public static void registerXmppConnectionService(XmppConnectionService service) {
Resolver.SERVICE = service;
registerLookupMechanism(service);
}
private static void registerLookupMechanism(Context context) {
DNSClient.addDnsServerLookupMechanism(new AndroidUsingLinkProperties(context));
}
@ -48,7 +57,7 @@ public class Resolver {
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+e.getMessage());
}
if (results.size() == 0) {
results.addAll(resolveFallback(DNSName.from(domain)));
results.addAll(resolveFallback(DNSName.from(domain),true));
}
Collections.sort(results);
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+results.toString());
@ -80,7 +89,7 @@ public class Resolver {
}
List<Result> list = new ArrayList<>();
try {
ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()),type, !authenticated);
ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()),type, authenticated);
for (D record : results.getAnswersOrEmptySet()) {
Result resolverResult = Result.fromRecord(srv, directTls);
resolverResult.authenticated = results.isAuthenticData() && authenticated;
@ -93,18 +102,18 @@ public class Resolver {
return list;
}
private static List<Result> resolveFallback(DNSName dnsName) {
private static List<Result> resolveFallback(DNSName dnsName, boolean withCnames) {
List<Result> results = new ArrayList<>();
try {
for(A a : resolveWithFallback(dnsName,A.class,true).getAnswersOrEmptySet()) {
for(A a : resolveWithFallback(dnsName,A.class,false).getAnswersOrEmptySet()) {
results.add(Result.createDefault(dnsName,a.getInetAddress()));
}
for(AAAA aaaa : resolveWithFallback(dnsName,AAAA.class,true).getAnswersOrEmptySet()) {
for(AAAA aaaa : resolveWithFallback(dnsName,AAAA.class,false).getAnswersOrEmptySet()) {
results.add(Result.createDefault(dnsName,aaaa.getInetAddress()));
}
if (results.size() == 0) {
for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, true).getAnswersOrEmptySet()) {
results.addAll(resolveFallback(cname.name));
for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, false).getAnswersOrEmptySet()) {
results.addAll(resolveFallback(cname.name, false));
}
}
} catch (IOException e) {
@ -117,11 +126,11 @@ public class Resolver {
}
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type) throws IOException {
return resolveWithFallback(dnsName,type,false);
return resolveWithFallback(dnsName,type,validateHostname());
}
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean skipDnssec) throws IOException {
if (skipDnssec) {
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean validateHostname) throws IOException {
if (!validateHostname) {
return ResolverApi.INSTANCE.resolve(dnsName, type);
}
try {
@ -143,6 +152,10 @@ public class Resolver {
return ResolverApi.INSTANCE.resolve(dnsName, type);
}
private static boolean validateHostname() {
return SERVICE != null && SERVICE.getBooleanPreference("validate_hostname", R.bool.validate_hostname);
}
public static class Result implements Comparable<Result> {
private InetAddress ip;
private DNSName hostname;

View file

@ -40,4 +40,5 @@
<bool name="enable_foreground_service">false</bool>
<bool name="never_send">false</bool>
<bool name="return_to_previous">false</bool>
<bool name="validate_hostname">false</bool>
</resources>

View file

@ -756,4 +756,6 @@
<string name="pref_headsup_notifications_summary">Show Heads-up Notifications</string>
<string name="today">Today</string>
<string name="yesterday">Yesterday</string>
<string name="pref_validate_hostname">Validate hostname with DNSSEC</string>
<string name="pref_validate_hostname_summary">Server certificates that contain the validated hostname are considered verified</string>
</resources>

View file

@ -194,6 +194,11 @@
android:key="dont_trust_system_cas"
android:summary="@string/pref_dont_trust_system_cas_summary"
android:title="@string/pref_dont_trust_system_cas_title"/>
<CheckBoxPreference
android:defaultValue="@bool/validate_hostname"
android:key="validate_hostname"
android:summary="@string/pref_validate_hostname_summary"
android:title="@string/pref_validate_hostname"/>
<Preference
android:key="remove_trusted_certificates"
android:summary="@string/pref_remove_trusted_certificates_summary"