made DNSEC hostname validation opt-in

This commit is contained in:
Daniel Gultsch 2017-07-10 09:59:25 +02:00
parent da00a58902
commit abf84e065d
5 changed files with 33 additions and 12 deletions

View File

@ -986,7 +986,7 @@ public class XmppConnectionService extends Service {
public void onCreate() { public void onCreate() {
ExceptionHelper.init(getApplicationContext()); ExceptionHelper.init(getApplicationContext());
PRNGFixes.apply(); PRNGFixes.apply();
Resolver.registerLookupMechanism(this); Resolver.registerXmppConnectionService(this);
this.mRandom = new SecureRandom(); this.mRandom = new SecureRandom();
updateMemorizingTrustmanager(); updateMemorizingTrustmanager();
final int maxMemory = (int) (Runtime.getRuntime().maxMemory() / 1024); final int maxMemory = (int) (Runtime.getRuntime().maxMemory() / 1024);

View File

@ -24,14 +24,23 @@ import de.measite.minidns.record.Data;
import de.measite.minidns.record.InternetAddressRR; import de.measite.minidns.record.InternetAddressRR;
import de.measite.minidns.record.SRV; import de.measite.minidns.record.SRV;
import eu.siacs.conversations.Config; import eu.siacs.conversations.Config;
import eu.siacs.conversations.R;
import eu.siacs.conversations.services.XmppConnectionService;
public class Resolver { public class Resolver {
private static final String DIRECT_TLS_SERVICE = "_xmpps-client"; private static final String DIRECT_TLS_SERVICE = "_xmpps-client";
private static final String STARTTLS_SERICE = "_xmpp-client"; private static final String STARTTLS_SERICE = "_xmpp-client";
private static XmppConnectionService SERVICE = null;
public static void registerLookupMechanism(Context context) {
public static void registerXmppConnectionService(XmppConnectionService service) {
Resolver.SERVICE = service;
registerLookupMechanism(service);
}
private static void registerLookupMechanism(Context context) {
DNSClient.addDnsServerLookupMechanism(new AndroidUsingLinkProperties(context)); DNSClient.addDnsServerLookupMechanism(new AndroidUsingLinkProperties(context));
} }
@ -48,7 +57,7 @@ public class Resolver {
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+e.getMessage()); Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+e.getMessage());
} }
if (results.size() == 0) { if (results.size() == 0) {
results.addAll(resolveFallback(DNSName.from(domain))); results.addAll(resolveFallback(DNSName.from(domain),true));
} }
Collections.sort(results); Collections.sort(results);
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+results.toString()); Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+results.toString());
@ -80,7 +89,7 @@ public class Resolver {
} }
List<Result> list = new ArrayList<>(); List<Result> list = new ArrayList<>();
try { try {
ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()),type, !authenticated); ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()),type, authenticated);
for (D record : results.getAnswersOrEmptySet()) { for (D record : results.getAnswersOrEmptySet()) {
Result resolverResult = Result.fromRecord(srv, directTls); Result resolverResult = Result.fromRecord(srv, directTls);
resolverResult.authenticated = results.isAuthenticData() && authenticated; resolverResult.authenticated = results.isAuthenticData() && authenticated;
@ -93,18 +102,18 @@ public class Resolver {
return list; return list;
} }
private static List<Result> resolveFallback(DNSName dnsName) { private static List<Result> resolveFallback(DNSName dnsName, boolean withCnames) {
List<Result> results = new ArrayList<>(); List<Result> results = new ArrayList<>();
try { try {
for(A a : resolveWithFallback(dnsName,A.class,true).getAnswersOrEmptySet()) { for(A a : resolveWithFallback(dnsName,A.class,false).getAnswersOrEmptySet()) {
results.add(Result.createDefault(dnsName,a.getInetAddress())); results.add(Result.createDefault(dnsName,a.getInetAddress()));
} }
for(AAAA aaaa : resolveWithFallback(dnsName,AAAA.class,true).getAnswersOrEmptySet()) { for(AAAA aaaa : resolveWithFallback(dnsName,AAAA.class,false).getAnswersOrEmptySet()) {
results.add(Result.createDefault(dnsName,aaaa.getInetAddress())); results.add(Result.createDefault(dnsName,aaaa.getInetAddress()));
} }
if (results.size() == 0) { if (results.size() == 0) {
for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, true).getAnswersOrEmptySet()) { for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, false).getAnswersOrEmptySet()) {
results.addAll(resolveFallback(cname.name)); results.addAll(resolveFallback(cname.name, false));
} }
} }
} catch (IOException e) { } catch (IOException e) {
@ -117,11 +126,11 @@ public class Resolver {
} }
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type) throws IOException { private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type) throws IOException {
return resolveWithFallback(dnsName,type,false); return resolveWithFallback(dnsName,type,validateHostname());
} }
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean skipDnssec) throws IOException { private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean validateHostname) throws IOException {
if (skipDnssec) { if (!validateHostname) {
return ResolverApi.INSTANCE.resolve(dnsName, type); return ResolverApi.INSTANCE.resolve(dnsName, type);
} }
try { try {
@ -143,6 +152,10 @@ public class Resolver {
return ResolverApi.INSTANCE.resolve(dnsName, type); return ResolverApi.INSTANCE.resolve(dnsName, type);
} }
private static boolean validateHostname() {
return SERVICE != null && SERVICE.getBooleanPreference("validate_hostname", R.bool.validate_hostname);
}
public static class Result implements Comparable<Result> { public static class Result implements Comparable<Result> {
private InetAddress ip; private InetAddress ip;
private DNSName hostname; private DNSName hostname;

View File

@ -40,4 +40,5 @@
<bool name="enable_foreground_service">false</bool> <bool name="enable_foreground_service">false</bool>
<bool name="never_send">false</bool> <bool name="never_send">false</bool>
<bool name="return_to_previous">false</bool> <bool name="return_to_previous">false</bool>
<bool name="validate_hostname">false</bool>
</resources> </resources>

View File

@ -756,4 +756,6 @@
<string name="pref_headsup_notifications_summary">Show Heads-up Notifications</string> <string name="pref_headsup_notifications_summary">Show Heads-up Notifications</string>
<string name="today">Today</string> <string name="today">Today</string>
<string name="yesterday">Yesterday</string> <string name="yesterday">Yesterday</string>
<string name="pref_validate_hostname">Validate hostname with DNSSEC</string>
<string name="pref_validate_hostname_summary">Server certificates that contain the validated hostname are considered verified</string>
</resources> </resources>

View File

@ -194,6 +194,11 @@
android:key="dont_trust_system_cas" android:key="dont_trust_system_cas"
android:summary="@string/pref_dont_trust_system_cas_summary" android:summary="@string/pref_dont_trust_system_cas_summary"
android:title="@string/pref_dont_trust_system_cas_title"/> android:title="@string/pref_dont_trust_system_cas_title"/>
<CheckBoxPreference
android:defaultValue="@bool/validate_hostname"
android:key="validate_hostname"
android:summary="@string/pref_validate_hostname_summary"
android:title="@string/pref_validate_hostname"/>
<Preference <Preference
android:key="remove_trusted_certificates" android:key="remove_trusted_certificates"
android:summary="@string/pref_remove_trusted_certificates_summary" android:summary="@string/pref_remove_trusted_certificates_summary"