made DNSEC hostname validation opt-in
This commit is contained in:
Daniel Gultsch
parent
da00a58902
commit
abf84e065d
@ -986,7 +986,7 @@ public class XmppConnectionService extends Service {
|
|||||||
public void onCreate() {
|
public void onCreate() {
|
||||||
ExceptionHelper.init(getApplicationContext());
|
ExceptionHelper.init(getApplicationContext());
|
||||||
PRNGFixes.apply();
|
PRNGFixes.apply();
|
||||||
Resolver.registerLookupMechanism(this);
|
Resolver.registerXmppConnectionService(this);
|
||||||
this.mRandom = new SecureRandom();
|
this.mRandom = new SecureRandom();
|
||||||
updateMemorizingTrustmanager();
|
updateMemorizingTrustmanager();
|
||||||
final int maxMemory = (int) (Runtime.getRuntime().maxMemory() / 1024);
|
final int maxMemory = (int) (Runtime.getRuntime().maxMemory() / 1024);
|
||||||
|
|||||||
@ -24,14 +24,23 @@ import de.measite.minidns.record.Data;
|
|||||||
import de.measite.minidns.record.InternetAddressRR;
|
import de.measite.minidns.record.InternetAddressRR;
|
||||||
import de.measite.minidns.record.SRV;
|
import de.measite.minidns.record.SRV;
|
||||||
import eu.siacs.conversations.Config;
|
import eu.siacs.conversations.Config;
|
||||||
|
import eu.siacs.conversations.R;
|
||||||
|
import eu.siacs.conversations.services.XmppConnectionService;
|
||||||
|
|
||||||
public class Resolver {
|
public class Resolver {
|
||||||
|
|
||||||
private static final String DIRECT_TLS_SERVICE = "_xmpps-client";
|
private static final String DIRECT_TLS_SERVICE = "_xmpps-client";
|
||||||
private static final String STARTTLS_SERICE = "_xmpp-client";
|
private static final String STARTTLS_SERICE = "_xmpp-client";
|
||||||
|
|
||||||
|
private static XmppConnectionService SERVICE = null;
|
||||||
|
|
||||||
public static void registerLookupMechanism(Context context) {
|
|
||||||
|
public static void registerXmppConnectionService(XmppConnectionService service) {
|
||||||
|
Resolver.SERVICE = service;
|
||||||
|
registerLookupMechanism(service);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void registerLookupMechanism(Context context) {
|
||||||
DNSClient.addDnsServerLookupMechanism(new AndroidUsingLinkProperties(context));
|
DNSClient.addDnsServerLookupMechanism(new AndroidUsingLinkProperties(context));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -48,7 +57,7 @@ public class Resolver {
|
|||||||
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+e.getMessage());
|
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+e.getMessage());
|
||||||
}
|
}
|
||||||
if (results.size() == 0) {
|
if (results.size() == 0) {
|
||||||
results.addAll(resolveFallback(DNSName.from(domain)));
|
results.addAll(resolveFallback(DNSName.from(domain),true));
|
||||||
}
|
}
|
||||||
Collections.sort(results);
|
Collections.sort(results);
|
||||||
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+results.toString());
|
Log.d(Config.LOGTAG,Resolver.class.getSimpleName()+": "+results.toString());
|
||||||
@ -80,7 +89,7 @@ public class Resolver {
|
|||||||
}
|
}
|
||||||
List<Result> list = new ArrayList<>();
|
List<Result> list = new ArrayList<>();
|
||||||
try {
|
try {
|
||||||
ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()),type, !authenticated);
|
ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()),type, authenticated);
|
||||||
for (D record : results.getAnswersOrEmptySet()) {
|
for (D record : results.getAnswersOrEmptySet()) {
|
||||||
Result resolverResult = Result.fromRecord(srv, directTls);
|
Result resolverResult = Result.fromRecord(srv, directTls);
|
||||||
resolverResult.authenticated = results.isAuthenticData() && authenticated;
|
resolverResult.authenticated = results.isAuthenticData() && authenticated;
|
||||||
@ -93,18 +102,18 @@ public class Resolver {
|
|||||||
return list;
|
return list;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static List<Result> resolveFallback(DNSName dnsName) {
|
private static List<Result> resolveFallback(DNSName dnsName, boolean withCnames) {
|
||||||
List<Result> results = new ArrayList<>();
|
List<Result> results = new ArrayList<>();
|
||||||
try {
|
try {
|
||||||
for(A a : resolveWithFallback(dnsName,A.class,true).getAnswersOrEmptySet()) {
|
for(A a : resolveWithFallback(dnsName,A.class,false).getAnswersOrEmptySet()) {
|
||||||
results.add(Result.createDefault(dnsName,a.getInetAddress()));
|
results.add(Result.createDefault(dnsName,a.getInetAddress()));
|
||||||
}
|
}
|
||||||
for(AAAA aaaa : resolveWithFallback(dnsName,AAAA.class,true).getAnswersOrEmptySet()) {
|
for(AAAA aaaa : resolveWithFallback(dnsName,AAAA.class,false).getAnswersOrEmptySet()) {
|
||||||
results.add(Result.createDefault(dnsName,aaaa.getInetAddress()));
|
results.add(Result.createDefault(dnsName,aaaa.getInetAddress()));
|
||||||
}
|
}
|
||||||
if (results.size() == 0) {
|
if (results.size() == 0) {
|
||||||
for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, true).getAnswersOrEmptySet()) {
|
for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, false).getAnswersOrEmptySet()) {
|
||||||
results.addAll(resolveFallback(cname.name));
|
results.addAll(resolveFallback(cname.name, false));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
@ -117,11 +126,11 @@ public class Resolver {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type) throws IOException {
|
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type) throws IOException {
|
||||||
return resolveWithFallback(dnsName,type,false);
|
return resolveWithFallback(dnsName,type,validateHostname());
|
||||||
}
|
}
|
||||||
|
|
||||||
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean skipDnssec) throws IOException {
|
private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean validateHostname) throws IOException {
|
||||||
if (skipDnssec) {
|
if (!validateHostname) {
|
||||||
return ResolverApi.INSTANCE.resolve(dnsName, type);
|
return ResolverApi.INSTANCE.resolve(dnsName, type);
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
@ -143,6 +152,10 @@ public class Resolver {
|
|||||||
return ResolverApi.INSTANCE.resolve(dnsName, type);
|
return ResolverApi.INSTANCE.resolve(dnsName, type);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static boolean validateHostname() {
|
||||||
|
return SERVICE != null && SERVICE.getBooleanPreference("validate_hostname", R.bool.validate_hostname);
|
||||||
|
}
|
||||||
|
|
||||||
public static class Result implements Comparable<Result> {
|
public static class Result implements Comparable<Result> {
|
||||||
private InetAddress ip;
|
private InetAddress ip;
|
||||||
private DNSName hostname;
|
private DNSName hostname;
|
||||||
|
|||||||
@ -40,4 +40,5 @@
|
|||||||
<bool name="enable_foreground_service">false</bool>
|
<bool name="enable_foreground_service">false</bool>
|
||||||
<bool name="never_send">false</bool>
|
<bool name="never_send">false</bool>
|
||||||
<bool name="return_to_previous">false</bool>
|
<bool name="return_to_previous">false</bool>
|
||||||
|
<bool name="validate_hostname">false</bool>
|
||||||
</resources>
|
</resources>
|
||||||
|
|||||||
@ -756,4 +756,6 @@
|
|||||||
<string name="pref_headsup_notifications_summary">Show Heads-up Notifications</string>
|
<string name="pref_headsup_notifications_summary">Show Heads-up Notifications</string>
|
||||||
<string name="today">Today</string>
|
<string name="today">Today</string>
|
||||||
<string name="yesterday">Yesterday</string>
|
<string name="yesterday">Yesterday</string>
|
||||||
|
<string name="pref_validate_hostname">Validate hostname with DNSSEC</string>
|
||||||
|
<string name="pref_validate_hostname_summary">Server certificates that contain the validated hostname are considered verified</string>
|
||||||
</resources>
|
</resources>
|
||||||
|
|||||||
@ -194,6 +194,11 @@
|
|||||||
android:key="dont_trust_system_cas"
|
android:key="dont_trust_system_cas"
|
||||||
android:summary="@string/pref_dont_trust_system_cas_summary"
|
android:summary="@string/pref_dont_trust_system_cas_summary"
|
||||||
android:title="@string/pref_dont_trust_system_cas_title"/>
|
android:title="@string/pref_dont_trust_system_cas_title"/>
|
||||||
|
<CheckBoxPreference
|
||||||
|
android:defaultValue="@bool/validate_hostname"
|
||||||
|
android:key="validate_hostname"
|
||||||
|
android:summary="@string/pref_validate_hostname_summary"
|
||||||
|
android:title="@string/pref_validate_hostname"/>
|
||||||
<Preference
|
<Preference
|
||||||
android:key="remove_trusted_certificates"
|
android:key="remove_trusted_certificates"
|
||||||
android:summary="@string/pref_remove_trusted_certificates_summary"
|
android:summary="@string/pref_remove_trusted_certificates_summary"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user