aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRiccardo Spagni <ric@spagni.net>2015-03-26 13:49:50 +0200
committerRiccardo Spagni <ric@spagni.net>2015-03-26 13:50:06 +0200
commit65d6d36449695b65d8d746509bff4606746cc329 (patch)
treed9365feebea17feaa388d2683232f3e9d330890d /src
parentMerge pull request #242 (diff)
parentEnforce DNSSEC for checkpoint updates (diff)
downloadmonero-65d6d36449695b65d8d746509bff4606746cc329.tar.xz
Merge pull request #244
e6740ee Enforce DNSSEC for checkpoint updates (Thomas Winget) dbf46a7 DNSSEC added (hardcoded key) (Thomas Winget)
Diffstat (limited to 'src')
-rw-r--r--src/common/dns_utils.cpp66
-rw-r--r--src/cryptonote_core/checkpoints_create.cpp27
2 files changed, 83 insertions, 10 deletions
diff --git a/src/common/dns_utils.cpp b/src/common/dns_utils.cpp
index 3e50b6af8..4ab93cce8 100644
--- a/src/common/dns_utils.cpp
+++ b/src/common/dns_utils.cpp
@@ -34,7 +34,65 @@
#include <stdlib.h>
#include "include_base_utils.h"
+#include <boost/filesystem/fstream.hpp>
using namespace epee;
+namespace bf = boost::filesystem;
+
+namespace
+{
+
+/*
+ * The following two functions were taken from unbound-anchor.c, from
+ * the unbound library packaged with this source. The license and source
+ * can be found in $PROJECT_ROOT/external/unbound
+ */
+
+/* Cert builtin commented out until it's used, as the compiler complains
+
+// return the built in root update certificate
+static const char*
+get_builtin_cert(void)
+{
+ return
+// The ICANN CA fetched at 24 Sep 2010. Valid to 2028
+"-----BEGIN CERTIFICATE-----\n"
+"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
+"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
+"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
+"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
+"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
+"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
+"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
+"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
+"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
+"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
+"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
+"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
+"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
+"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
+"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
+"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
+"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
+"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
+"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
+"-----END CERTIFICATE-----\n"
+ ;
+}
+*/
+
+/** return the built in root DS trust anchor */
+static const char*
+get_builtin_ds(void)
+{
+ return
+". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
+}
+
+/************************************************************
+ ************************************************************
+ ***********************************************************/
+
+} // anonymous namespace
namespace tools
{
@@ -109,6 +167,8 @@ DNSResolver::DNSResolver() : m_data(new DNSResolverData())
// look for "/etc/resolv.conf" and "/etc/hosts" or platform equivalent
ub_ctx_resolvconf(m_data->m_ub_context, &empty_string);
ub_ctx_hosts(m_data->m_ub_context, &empty_string);
+
+ ub_ctx_add_ta(m_data->m_ub_context, ::get_builtin_ds());
}
DNSResolver::~DNSResolver()
@@ -143,6 +203,8 @@ std::vector<std::string> DNSResolver::get_ipv4(const std::string& url, bool& dns
// call DNS resolver, blocking. if return value not zero, something went wrong
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_A, DNS_CLASS_IN, &(result.ptr)))
{
+ dnssec_available = (result.ptr->secure || (!result.ptr->secure && result.ptr->bogus));
+ dnssec_valid = !result.ptr->bogus;
if (result.ptr->havedata)
{
for (size_t i=0; result.ptr->data[i] != NULL; i++)
@@ -175,6 +237,8 @@ std::vector<std::string> DNSResolver::get_ipv6(const std::string& url, bool& dns
// call DNS resolver, blocking. if return value not zero, something went wrong
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_AAAA, DNS_CLASS_IN, &(result.ptr)))
{
+ dnssec_available = (result.ptr->secure || (!result.ptr->secure && result.ptr->bogus));
+ dnssec_valid = !result.ptr->bogus;
if (result.ptr->havedata)
{
for (size_t i=0; result.ptr->data[i] != NULL; i++)
@@ -207,6 +271,8 @@ std::vector<std::string> DNSResolver::get_txt_record(const std::string& url, boo
// call DNS resolver, blocking. if return value not zero, something went wrong
if (!ub_resolve(m_data->m_ub_context, urlC, DNS_TYPE_TXT, DNS_CLASS_IN, &(result.ptr)))
{
+ dnssec_available = (result.ptr->secure || (!result.ptr->secure && result.ptr->bogus));
+ dnssec_valid = !result.ptr->bogus;
if (result.ptr->havedata)
{
for (size_t i=0; result.ptr->data[i] != NULL; i++)
diff --git a/src/cryptonote_core/checkpoints_create.cpp b/src/cryptonote_core/checkpoints_create.cpp
index 2cc9a8164..43f926682 100644
--- a/src/cryptonote_core/checkpoints_create.cpp
+++ b/src/cryptonote_core/checkpoints_create.cpp
@@ -138,21 +138,34 @@ bool load_checkpoints_from_dns(cryptonote::checkpoints& checkpoints, bool testne
size_t cur_index = first_index;
do
{
+ std::string url;
if (testnet)
{
- records = tools::DNSResolver::instance().get_txt_record(testnet_dns_urls[cur_index], avail, valid);
+ url = testnet_dns_urls[cur_index];
}
else
{
- records = tools::DNSResolver::instance().get_txt_record(dns_urls[cur_index], avail, valid);
+ url = dns_urls[cur_index];
}
- if (records.size() == 0 || (avail && !valid))
+
+ records = tools::DNSResolver::instance().get_txt_record(url, avail, valid);
+ if (!avail)
+ {
+ LOG_PRINT_L2("DNSSEC not available for checkpoint update at URL: " << url << ", skipping.");
+ }
+ if (!valid)
+ {
+ LOG_PRINT_L2("DNSSEC validation failed for checkpoint update at URL: " << url << ", skipping.");
+ }
+
+ if (records.size() == 0 || !avail || !valid)
{
cur_index++;
if (cur_index == dns_urls.size())
{
cur_index = 0;
}
+ records.clear();
continue;
}
break;
@@ -160,13 +173,7 @@ bool load_checkpoints_from_dns(cryptonote::checkpoints& checkpoints, bool testne
if (records.size() == 0)
{
- LOG_PRINT_L1("Fetching MoneroPulse checkpoints failed, no TXT records available.");
- return true;
- }
-
- if (avail && !valid)
- {
- LOG_PRINT_L0("WARNING: MoneroPulse failed DNSSEC validation and/or returned no records");
+ LOG_PRINT_L0("WARNING: All MoneroPulse checkpoint URLs failed DNSSEC validation and/or returned no records");
return true;
}