| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/certificate_transparency/log_dns_client.h" | 5 #include "components/certificate_transparency/log_dns_client.h" |
| 6 | 6 |
| 7 #include <sstream> | 7 #include <sstream> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 #include "net/dns/dns_protocol.h" | 22 #include "net/dns/dns_protocol.h" |
| 23 #include "net/dns/dns_response.h" | 23 #include "net/dns/dns_response.h" |
| 24 #include "net/dns/dns_transaction.h" | 24 #include "net/dns/dns_transaction.h" |
| 25 #include "net/dns/record_parsed.h" | 25 #include "net/dns/record_parsed.h" |
| 26 #include "net/dns/record_rdata.h" | 26 #include "net/dns/record_rdata.h" |
| 27 | 27 |
| 28 namespace certificate_transparency { | 28 namespace certificate_transparency { |
| 29 | 29 |
| 30 namespace { | 30 namespace { |
| 31 | 31 |
| 32 // Parses the DNS response and extracts a single string from the TXT RDATA. |
| 33 // If the response is malformed, not a TXT record, or contains any number of |
| 34 // strings other than 1, this returns false and extracts nothing. |
| 35 // Otherwise, it returns true and the extracted string is assigned to |*txt|. |
| 32 bool ParseTxtResponse(const net::DnsResponse& response, std::string* txt) { | 36 bool ParseTxtResponse(const net::DnsResponse& response, std::string* txt) { |
| 33 DCHECK(txt); | 37 DCHECK(txt); |
| 34 | 38 |
| 35 net::DnsRecordParser parser = response.Parser(); | 39 net::DnsRecordParser parser = response.Parser(); |
| 36 // We don't care about the creation time, since we're going to throw | 40 // We don't care about the creation time, since we're going to throw |
| 37 // |parsed_record| away as soon as we've extracted the payload, so provide | 41 // |parsed_record| away as soon as we've extracted the payload, so provide |
| 38 // the "null" time. | 42 // the "null" time. |
| 39 auto parsed_record = net::RecordParsed::CreateFrom(&parser, base::Time()); | 43 auto parsed_record = net::RecordParsed::CreateFrom(&parser, base::Time()); |
| 40 if (parsed_record == nullptr) | 44 if (parsed_record == nullptr) |
| 41 return false; | 45 return false; |
| 42 | 46 |
| 43 auto* txt_record = parsed_record->rdata<net::TxtRecordRdata>(); | 47 auto* txt_record = parsed_record->rdata<net::TxtRecordRdata>(); |
| 44 if (txt_record == nullptr) | 48 if (txt_record == nullptr) |
| 45 return false; | 49 return false; |
| 46 | 50 |
| 47 *txt = base::JoinString(txt_record->texts(), ""); | 51 // The draft CT-over-DNS RFC says that there MUST be exactly one string in the |
| 52 // TXT record. |
| 53 if (txt_record->texts().size() != 1) |
| 54 return false; |
| 55 |
| 56 *txt = txt_record->texts().front(); |
| 48 return true; | 57 return true; |
| 49 } | 58 } |
| 50 | 59 |
| 60 // Extracts a leaf index value from a DNS response's TXT RDATA. |
| 61 // Returns true on success, false otherwise. |
| 51 bool ParseLeafIndex(const net::DnsResponse& response, uint64_t* index) { | 62 bool ParseLeafIndex(const net::DnsResponse& response, uint64_t* index) { |
| 52 DCHECK(index); | 63 DCHECK(index); |
| 53 | 64 |
| 54 std::string index_str; | 65 std::string index_str; |
| 55 if (!ParseTxtResponse(response, &index_str)) | 66 if (!ParseTxtResponse(response, &index_str)) |
| 56 return false; | 67 return false; |
| 57 | 68 |
| 58 return base::StringToUint64(index_str, index); | 69 return base::StringToUint64(index_str, index); |
| 59 } | 70 } |
| 60 | 71 |
| 72 // Extracts audit proof nodes from a DNS response's TXT RDATA. |
| 73 // Returns true on success, false otherwise. |
| 74 // It will fail if there is not a whole number of nodes present > 0. |
| 75 // There must only be one string in the TXT RDATA. |
| 76 // The nodes will be appended to |proof->nodes| |
| 61 bool ParseAuditPath(const net::DnsResponse& response, | 77 bool ParseAuditPath(const net::DnsResponse& response, |
| 62 net::ct::MerkleAuditProof* proof) { | 78 net::ct::MerkleAuditProof* proof) { |
| 63 DCHECK(proof); | 79 DCHECK(proof); |
| 64 | 80 |
| 65 std::string audit_path; | 81 std::string audit_path; |
| 66 if (!ParseTxtResponse(response, &audit_path)) | 82 if (!ParseTxtResponse(response, &audit_path)) |
| 67 return false; | 83 return false; |
| 68 // If empty or not a multiple of the node size, it is considered invalid. | 84 // If empty or not a multiple of the node size, it is considered invalid. |
| 69 // It's important to consider empty audit paths as invalid, as otherwise an | 85 // It's important to consider empty audit paths as invalid, as otherwise an |
| 70 // infinite loop could occur if the server consistently returned empty | 86 // infinite loop could occur if the server consistently returned empty |
| (...skipping 234 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 305 } | 321 } |
| 306 | 322 |
| 307 void LogDnsClient::UpdateDnsConfig() { | 323 void LogDnsClient::UpdateDnsConfig() { |
| 308 net::DnsConfig config; | 324 net::DnsConfig config; |
| 309 net::NetworkChangeNotifier::GetDnsConfig(&config); | 325 net::NetworkChangeNotifier::GetDnsConfig(&config); |
| 310 if (config.IsValid()) | 326 if (config.IsValid()) |
| 311 dns_client_->SetConfig(config); | 327 dns_client_->SetConfig(config); |
| 312 } | 328 } |
| 313 | 329 |
| 314 } // namespace certificate_transparency | 330 } // namespace certificate_transparency |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2375693002:
LogDnsClient now rejects responses unless they contain exactly one TXT RDATA string (Closed)
