From c32590697cea9cc8b7bdd586e5f4791bdec4fef5 Mon Sep 17 00:00:00 2001
From: Christian Schneppe <christian@pix-art.de>
Date: Tue, 1 Aug 2017 11:53:00 +0200
Subject: made DNSEC hostname validation opt-in

---
 .../messenger/services/XmppConnectionService.java  |  2 +-
 .../java/de/pixart/messenger/utils/Resolver.java   | 35 +++++++++++++++-------
 src/main/res/values/defaults.xml                   |  1 +
 src/main/res/values/strings.xml                    |  2 ++
 src/main/res/xml/preferences.xml                   |  5 ++++
 5 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/src/main/java/de/pixart/messenger/services/XmppConnectionService.java b/src/main/java/de/pixart/messenger/services/XmppConnectionService.java
index 1464d8ec0..0be6c824a 100644
--- a/src/main/java/de/pixart/messenger/services/XmppConnectionService.java
+++ b/src/main/java/de/pixart/messenger/services/XmppConnectionService.java
@@ -1088,7 +1088,7 @@ public class XmppConnectionService extends Service {
     public void onCreate() {
         ExceptionHelper.init(getApplicationContext());
         PRNGFixes.apply();
-        Resolver.registerLookupMechanism(this);
+        Resolver.registerXmppConnectionService(this);
         this.mRandom = new SecureRandom();
         updateMemorizingTrustmanager();
         final int maxMemory = (int) (Runtime.getRuntime().maxMemory() / 1024);
diff --git a/src/main/java/de/pixart/messenger/utils/Resolver.java b/src/main/java/de/pixart/messenger/utils/Resolver.java
index 29b55d592..d6572aed6 100644
--- a/src/main/java/de/pixart/messenger/utils/Resolver.java
+++ b/src/main/java/de/pixart/messenger/utils/Resolver.java
@@ -24,13 +24,22 @@ import de.measite.minidns.record.Data;
 import de.measite.minidns.record.InternetAddressRR;
 import de.measite.minidns.record.SRV;
 import de.pixart.messenger.Config;
+import de.pixart.messenger.R;
+import de.pixart.messenger.services.XmppConnectionService;
 
 public class Resolver {
 
     private static final String DIRECT_TLS_SERVICE = "_xmpps-client";
     private static final String STARTTLS_SERICE = "_xmpp-client";
 
-    public static void registerLookupMechanism(Context context) {
+    private static XmppConnectionService SERVICE = null;
+
+    public static void registerXmppConnectionService(XmppConnectionService service) {
+        Resolver.SERVICE = service;
+        registerLookupMechanism(service);
+    }
+
+    private static void registerLookupMechanism(Context context) {
         DNSClient.addDnsServerLookupMechanism(new AndroidUsingLinkProperties(context));
     }
 
@@ -47,7 +56,7 @@ public class Resolver {
             Log.d(Config.LOGTAG, Resolver.class.getSimpleName() + ": " + e.getMessage());
         }
         if (results.size() == 0) {
-            results.addAll(resolveFallback(DNSName.from(domain)));
+            results.addAll(resolveFallback(DNSName.from(domain), true));
         }
         Collections.sort(results);
         Log.d(Config.LOGTAG, Resolver.class.getSimpleName() + ": " + results.toString());
@@ -79,7 +88,7 @@ public class Resolver {
         }
         List<Result> list = new ArrayList<>();
         try {
-            ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()), type, !authenticated);
+            ResolverResult<D> results = resolveWithFallback(DNSName.from(srv.name.toString()), type, authenticated);
             for (D record : results.getAnswersOrEmptySet()) {
                 Result resolverResult = Result.fromRecord(srv, directTls);
                 resolverResult.authenticated = results.isAuthenticData() && authenticated;
@@ -92,18 +101,18 @@ public class Resolver {
         return list;
     }
 
-    private static List<Result> resolveFallback(DNSName dnsName) {
+    private static List<Result> resolveFallback(DNSName dnsName, boolean withCnames) {
         List<Result> results = new ArrayList<>();
         try {
-            for (A a : resolveWithFallback(dnsName, A.class, true).getAnswersOrEmptySet()) {
+            for (A a : resolveWithFallback(dnsName, A.class, false).getAnswersOrEmptySet()) {
                 results.add(Result.createDefault(dnsName, a.getInetAddress()));
             }
-            for (AAAA aaaa : resolveWithFallback(dnsName, AAAA.class, true).getAnswersOrEmptySet()) {
+            for (AAAA aaaa : resolveWithFallback(dnsName, AAAA.class, false).getAnswersOrEmptySet()) {
                 results.add(Result.createDefault(dnsName, aaaa.getInetAddress()));
             }
             if (results.size() == 0) {
-                for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, true).getAnswersOrEmptySet()) {
-                    results.addAll(resolveFallback(cname.name));
+                for (CNAME cname : resolveWithFallback(dnsName, CNAME.class, false).getAnswersOrEmptySet()) {
+                    results.addAll(resolveFallback(cname.name, false));
                 }
             }
         } catch (IOException e) {
@@ -116,11 +125,11 @@ public class Resolver {
     }
 
     private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type) throws IOException {
-        return resolveWithFallback(dnsName, type, false);
+        return resolveWithFallback(dnsName, type, validateHostname());
     }
 
-    private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean skipDnssec) throws IOException {
-        if (skipDnssec) {
+    private static <D extends Data> ResolverResult<D> resolveWithFallback(DNSName dnsName, Class<D> type, boolean validateHostname) throws IOException {
+        if (!validateHostname) {
             return ResolverApi.INSTANCE.resolve(dnsName, type);
         }
         try {
@@ -142,6 +151,10 @@ public class Resolver {
         return ResolverApi.INSTANCE.resolve(dnsName, type);
     }
 
+    private static boolean validateHostname() {
+        return SERVICE != null && SERVICE.getBooleanPreference("validate_hostname", R.bool.validate_hostname);
+    }
+
     public static class Result implements Comparable<Result> {
         private InetAddress ip;
         private DNSName hostname;
diff --git a/src/main/res/values/defaults.xml b/src/main/res/values/defaults.xml
index e191286a1..5a7a1c057 100644
--- a/src/main/res/values/defaults.xml
+++ b/src/main/res/values/defaults.xml
@@ -46,4 +46,5 @@
     <bool name="use_white_background">false</bool>
     <bool name="send_crashreport">true</bool>
     <bool name="plain_text_logs">false</bool>
+    <bool name="validate_hostname">false</bool>
 </resources>
\ No newline at end of file
diff --git a/src/main/res/values/strings.xml b/src/main/res/values/strings.xml
index d2a894ae2..403902149 100644
--- a/src/main/res/values/strings.xml
+++ b/src/main/res/values/strings.xml
@@ -778,4 +778,6 @@
     <string name="pref_headsup_notifications">Heads-up Notifications</string>
     <string name="pref_headsup_notifications_summary">Show Heads-up Notifications</string>
     <string name="yesterday">Yesterday</string>
+    <string name="pref_validate_hostname">Validate hostname with DNSSEC</string>
+    <string name="pref_validate_hostname_summary">Server certificates that contain the validated hostname are considered verified</string>
 </resources>
diff --git a/src/main/res/xml/preferences.xml b/src/main/res/xml/preferences.xml
index 60fa80f4a..a3cfc15ed 100644
--- a/src/main/res/xml/preferences.xml
+++ b/src/main/res/xml/preferences.xml
@@ -275,6 +275,11 @@
                 android:key="dont_trust_system_cas"
                 android:summary="@string/pref_dont_trust_system_cas_summary"
                 android:title="@string/pref_dont_trust_system_cas_title" />
+            <CheckBoxPreference
+                android:defaultValue="@bool/validate_hostname"
+                android:key="validate_hostname"
+                android:summary="@string/pref_validate_hostname_summary"
+                android:title="@string/pref_validate_hostname" />
             <Preference
                 android:key="remove_trusted_certificates"
                 android:summary="@string/pref_remove_trusted_certificates_summary"
-- 
cgit v1.2.3