echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Utils: Fix SAN verification for IPv6 hostnames

Browse Source 
Add Quad9 DoH servers
Change Google DoH server hostname
This commit is contained in:
zzz
2019-09-03 15:34:21 +00:00
parent b119d0be43
commit 0f2f7e2454
3 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
core/java/src/net/i2p/util/DNSOverHTTPS.java
View File

@ -63,9 +63,10 @@ public class DNSOverHTTPS implements EepGet.StatusListener {
static { static {
// Warning: All hostnames MUST be in loop check in lookup() below // Warning: All hostnames MUST be in loop check in lookup() below
// Google // Google
// Certs for 8.8.8.8 and 8.8.4.4 don't work // https://developers.google.com/speed/public-dns/docs/doh/
v4urls.add("https://dns.google.com/resolve?edns_client_subnet=0.0.0.0/0&"); // 8.8.8.8 and 8.8.4.4 now redirect to dns.google, but SSLEepGet doesn't support redirect
v6urls.add("https://dns.google.com/resolve?edns_client_subnet=0.0.0.0/0&"); v4urls.add("https://dns.google/resolve?edns_client_subnet=0.0.0.0/0&");
v6urls.add("https://dns.google/resolve?edns_client_subnet=0.0.0.0/0&");
// Cloudflare cloudflare-dns.com // Cloudflare cloudflare-dns.com
// https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/ // https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/
// 1.1.1.1 is a privacy centric resolver so it does not send any client IP information // 1.1.1.1 is a privacy centric resolver so it does not send any client IP information
@ -74,6 +75,12 @@ public class DNSOverHTTPS implements EepGet.StatusListener {
v4urls.add("https://1.0.0.1/dns-query?ct=application/dns-json&"); v4urls.add("https://1.0.0.1/dns-query?ct=application/dns-json&");
v6urls.add("https://[2606:4700:4700::1111]/dns-query?ct=application/dns-json&"); v6urls.add("https://[2606:4700:4700::1111]/dns-query?ct=application/dns-json&");
v6urls.add("https://[2606:4700:4700::1001]/dns-query?ct=application/dns-json&"); v6urls.add("https://[2606:4700:4700::1001]/dns-query?ct=application/dns-json&");
// Quad9
// https://quad9.net/doh-quad9-dns-servers/
v4urls.add("https://9.9.9.9:5053/dns-query?");
v4urls.add("https://149.112.112.112:5053/dns-query?");
v6urls.add("https://[2620:fe::fe]:5053/dns-query?");
v6urls.add("https://[2620:fe::fe:9]:5053/dns-query?");
} }
// keep the timeout very short, as we try multiple addresses, // keep the timeout very short, as we try multiple addresses,
@ -138,7 +145,7 @@ public class DNSOverHTTPS implements EepGet.StatusListener {
} }
} }
// don't loop via SSLEepGet // don't loop via SSLEepGet
if (host.equals("dns.google.com")) if (host.equals("dns.google"))
return "8.8.8.8"; return "8.8.8.8";
if (type == Type.V4_ONLY || type == Type.V4_PREFERRED) { if (type == Type.V4_ONLY || type == Type.V4_PREFERRED) {
// v4 lookup // v4 lookup

4
core/java/src/net/i2p/util/I2PSSLSocketFactory.java
View File

@ -285,7 +285,9 @@ public class I2PSSLSocketFactory {
} }
/** /**
* Validate the hostname * Validate the hostname.
* Warning - be sure to remove [] from IPv6 addresses in host parameter if you
* got it from URI.getHost().
* *
* ref: https://developer.android.com/training/articles/security-ssl.html * ref: https://developer.android.com/training/articles/security-ssl.html
* ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ * ref: http://op-co.de/blog/posts/java_sslsocket_mitm/

7
core/java/src/net/i2p/util/SSLEepGet.java
View File

@ -769,8 +769,13 @@ public class SSLEepGet extends EepGet {
SSLSocket socket = (SSLSocket) _proxy; SSLSocket socket = (SSLSocket) _proxy;
I2PSSLSocketFactory.setProtocolsAndCiphers(socket); I2PSSLSocketFactory.setProtocolsAndCiphers(socket);
if (!_bypassVerification) { if (!_bypassVerification) {
String vhost = originalHost;
if (vhost.startsWith("[") && vhost.endsWith("]")) {
// URI.getHost() does not strip []
vhost = vhost.substring(1, vhost.length() - 1);
}
try { try {
I2PSSLSocketFactory.verifyHostname(_context, socket, originalHost); I2PSSLSocketFactory.verifyHostname(_context, socket, vhost);
} catch (SSLException ssle) { } catch (SSLException ssle) {
if (_saveCerts > 0 && _stm != null) if (_saveCerts > 0 && _stm != null)
saveCerts(host, _stm); saveCerts(host, _stm);