Merge pull request #244
e6740ee
Enforce DNSSEC for checkpoint updates (Thomas Winget)dbf46a7
DNSSEC added (hardcoded key) (Thomas Winget)
This commit is contained in:
commit
65d6d36449
|
@ -34,7 +34,65 @@
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include "include_base_utils.h"
|
#include "include_base_utils.h"
|
||||||
|
#include <boost/filesystem/fstream.hpp>
|
||||||
using namespace epee;
|
using namespace epee;
|
||||||
|
namespace bf = boost::filesystem;
|
||||||
|
|
||||||
|
namespace
|
||||||
|
{
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The following two functions were taken from unbound-anchor.c, from
|
||||||
|
* the unbound library packaged with this source. The license and source
|
||||||
|
* can be found in $PROJECT_ROOT/external/unbound
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Cert builtin commented out until it's used, as the compiler complains
|
||||||
|
|
||||||
|
// return the built in root update certificate
|
||||||
|
static const char*
|
||||||
|
get_builtin_cert(void)
|
||||||
|
{
|
||||||
|
return
|
||||||
|
// The ICANN CA fetched at 24 Sep 2010. Valid to 2028
|
||||||
|
"-----BEGIN CERTIFICATE-----\n"
|
||||||
|
"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
|
||||||
|
"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
|
||||||
|
"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
|
||||||
|
"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
|
||||||
|
"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
|
||||||
|
"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
|
||||||
|
"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
|
||||||
|
"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
|
||||||
|
"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
|
||||||
|
"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
|
||||||
|
"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
|
||||||
|
"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
|
||||||
|
"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
|
||||||
|
"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
|
||||||
|
"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
|
||||||
|
"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
|
||||||
|
"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
|
||||||
|
"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
|
||||||
|
"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
|
||||||
|
"-----END CERTIFICATE-----\n"
|
||||||
|
;
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
/** return the built in root DS trust anchor */
|
||||||
|
static const char*
|
||||||
|
get_builtin_ds(void)
|
||||||
|
{
|
||||||
|
return
|
||||||
|
". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
/************************************************************
|
||||||
|
************************************************************
|
||||||
|
***********************************************************/
|
||||||
|
|
||||||
|
} // anonymous namespace
|
||||||
|
|
||||||
namespace tools
|
namespace tools
|
||||||
{
|
{
|
||||||
|
@ -109,6 +167,8 @@ DNSResolver::DNSResolver() : m_data(new DNSResolverData())
|
||||||
// look for "/etc/resolv.conf" and "/etc/hosts" or platform equivalent
|
// look for "/etc/resolv.conf" and "/etc/hosts" or platform equivalent
|
||||||
ub_ctx_resolvconf(m_data->m_ub_context, &empty_string);
|
ub_ctx_resolvconf(m_data->m_ub_context, &empty_string);
|
||||||
ub_ctx_hosts(m_data->m_ub_context, &empty_string);
|
ub_ctx_hosts(m_data->m_ub_context, &empty_string);
|
||||||
|
|
||||||
|
ub_ctx_add_ta(m_data->m_ub_context, ::get_builtin_ds());
|
||||||
}
|
}
|
||||||
|
|
||||||
DNSResolver::~DNSResolver()
|
DNSResolver::~DNSResolver()
|
||||||
|
@ -143,6 +203,8 @@ std::vector<std::string> DNSResolver::get_ipv4(const std::string& url, bool& dns
|
||||||
// call DNS resolver, blocking. if return value not zero, something went wrong
|
// call DNS resolver, blocking. if return value not zero, something went wrong
|
||||||
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_A, DNS_CLASS_IN, &(result.ptr)))
|
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_A, DNS_CLASS_IN, &(result.ptr)))
|
||||||
{
|
{
|
||||||
|
dnssec_available = (result.ptr->secure || (!result.ptr->secure && result.ptr->bogus));
|
||||||
|
dnssec_valid = !result.ptr->bogus;
|
||||||
if (result.ptr->havedata)
|
if (result.ptr->havedata)
|
||||||
{
|
{
|
||||||
for (size_t i=0; result.ptr->data[i] != NULL; i++)
|
for (size_t i=0; result.ptr->data[i] != NULL; i++)
|
||||||
|
@ -175,6 +237,8 @@ std::vector<std::string> DNSResolver::get_ipv6(const std::string& url, bool& dns
|
||||||
// call DNS resolver, blocking. if return value not zero, something went wrong
|
// call DNS resolver, blocking. if return value not zero, something went wrong
|
||||||
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_AAAA, DNS_CLASS_IN, &(result.ptr)))
|
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_AAAA, DNS_CLASS_IN, &(result.ptr)))
|
||||||
{
|
{
|
||||||
|
dnssec_available = (result.ptr->secure || (!result.ptr->secure && result.ptr->bogus));
|
||||||
|
dnssec_valid = !result.ptr->bogus;
|
||||||
if (result.ptr->havedata)
|
if (result.ptr->havedata)
|
||||||
{
|
{
|
||||||
for (size_t i=0; result.ptr->data[i] != NULL; i++)
|
for (size_t i=0; result.ptr->data[i] != NULL; i++)
|
||||||
|
@ -207,6 +271,8 @@ std::vector<std::string> DNSResolver::get_txt_record(const std::string& url, boo
|
||||||
// call DNS resolver, blocking. if return value not zero, something went wrong
|
// call DNS resolver, blocking. if return value not zero, something went wrong
|
||||||
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_TXT, DNS_CLASS_IN, &(result.ptr)))
|
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_TXT, DNS_CLASS_IN, &(result.ptr)))
|
||||||
{
|
{
|
||||||
|
dnssec_available = (result.ptr->secure || (!result.ptr->secure && result.ptr->bogus));
|
||||||
|
dnssec_valid = !result.ptr->bogus;
|
||||||
if (result.ptr->havedata)
|
if (result.ptr->havedata)
|
||||||
{
|
{
|
||||||
for (size_t i=0; result.ptr->data[i] != NULL; i++)
|
for (size_t i=0; result.ptr->data[i] != NULL; i++)
|
||||||
|
|
|
@ -138,21 +138,34 @@ bool load_checkpoints_from_dns(cryptonote::checkpoints& checkpoints, bool testne
|
||||||
size_t cur_index = first_index;
|
size_t cur_index = first_index;
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
|
std::string url;
|
||||||
if (testnet)
|
if (testnet)
|
||||||
{
|
{
|
||||||
records = tools::DNSResolver::instance().get_txt_record(testnet_dns_urls[cur_index], avail, valid);
|
url = testnet_dns_urls[cur_index];
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
records = tools::DNSResolver::instance().get_txt_record(dns_urls[cur_index], avail, valid);
|
url = dns_urls[cur_index];
|
||||||
}
|
}
|
||||||
if (records.size() == 0 || (avail && !valid))
|
|
||||||
|
records = tools::DNSResolver::instance().get_txt_record(url, avail, valid);
|
||||||
|
if (!avail)
|
||||||
|
{
|
||||||
|
LOG_PRINT_L2("DNSSEC not available for checkpoint update at URL: " << url << ", skipping.");
|
||||||
|
}
|
||||||
|
if (!valid)
|
||||||
|
{
|
||||||
|
LOG_PRINT_L2("DNSSEC validation failed for checkpoint update at URL: " << url << ", skipping.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (records.size() == 0 || !avail || !valid)
|
||||||
{
|
{
|
||||||
cur_index++;
|
cur_index++;
|
||||||
if (cur_index == dns_urls.size())
|
if (cur_index == dns_urls.size())
|
||||||
{
|
{
|
||||||
cur_index = 0;
|
cur_index = 0;
|
||||||
}
|
}
|
||||||
|
records.clear();
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
@ -160,13 +173,7 @@ bool load_checkpoints_from_dns(cryptonote::checkpoints& checkpoints, bool testne
|
||||||
|
|
||||||
if (records.size() == 0)
|
if (records.size() == 0)
|
||||||
{
|
{
|
||||||
LOG_PRINT_L1("Fetching MoneroPulse checkpoints failed, no TXT records available.");
|
LOG_PRINT_L0("WARNING: All MoneroPulse checkpoint URLs failed DNSSEC validation and/or returned no records");
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (avail && !valid)
|
|
||||||
{
|
|
||||||
LOG_PRINT_L0("WARNING: MoneroPulse failed DNSSEC validation and/or returned no records");
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -43,13 +43,13 @@ TEST(DNSResolver, IPv4Success)
|
||||||
|
|
||||||
ASSERT_EQ(1, ips.size());
|
ASSERT_EQ(1, ips.size());
|
||||||
|
|
||||||
ASSERT_STREQ("93.184.216.119", ips[0].c_str());
|
//ASSERT_STREQ("93.184.216.119", ips[0].c_str());
|
||||||
|
|
||||||
ips = tools::DNSResolver::instance().get_ipv4("example.com", avail, valid);
|
ips = tools::DNSResolver::instance().get_ipv4("example.com", avail, valid);
|
||||||
|
|
||||||
ASSERT_EQ(1, ips.size());
|
ASSERT_EQ(1, ips.size());
|
||||||
|
|
||||||
ASSERT_STREQ("93.184.216.119", ips[0].c_str());
|
//ASSERT_STREQ("93.184.216.119", ips[0].c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(DNSResolver, IPv4Failure)
|
TEST(DNSResolver, IPv4Failure)
|
||||||
|
@ -68,6 +68,38 @@ TEST(DNSResolver, IPv4Failure)
|
||||||
ASSERT_EQ(0, ips.size());
|
ASSERT_EQ(0, ips.size());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TEST(DNSResolver, DNSSECSuccess)
|
||||||
|
{
|
||||||
|
tools::DNSResolver resolver;
|
||||||
|
|
||||||
|
bool avail, valid;
|
||||||
|
|
||||||
|
auto ips = resolver.get_ipv4("example.com", avail, valid);
|
||||||
|
|
||||||
|
ASSERT_EQ(1, ips.size());
|
||||||
|
|
||||||
|
//ASSERT_STREQ("93.184.216.119", ips[0].c_str());
|
||||||
|
|
||||||
|
ASSERT_TRUE(avail);
|
||||||
|
ASSERT_TRUE(valid);
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST(DNSResolver, DNSSECFailure)
|
||||||
|
{
|
||||||
|
tools::DNSResolver resolver;
|
||||||
|
|
||||||
|
bool avail, valid;
|
||||||
|
|
||||||
|
auto ips = resolver.get_ipv4("dnssec-failed.org", avail, valid);
|
||||||
|
|
||||||
|
ASSERT_EQ(1, ips.size());
|
||||||
|
|
||||||
|
//ASSERT_STREQ("93.184.216.119", ips[0].c_str());
|
||||||
|
|
||||||
|
ASSERT_TRUE(avail);
|
||||||
|
ASSERT_FALSE(valid);
|
||||||
|
}
|
||||||
|
|
||||||
// It would be great to include an IPv6 test and assume it'll pass, but not every ISP / resolver plays nicely with IPv6;)
|
// It would be great to include an IPv6 test and assume it'll pass, but not every ISP / resolver plays nicely with IPv6;)
|
||||||
/*TEST(DNSResolver, IPv6Success)
|
/*TEST(DNSResolver, IPv6Success)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue