mirror of
https://codeberg.org/Mercury-IM/Smack
synced 2024-11-24 15:22:07 +01:00
Add support for DNSSEC/DANE
This closes the cycle which started with a GSOC 2015 project under the umbrella of the XSF adding DNSSEC/DANE support to MiniDNS. Fixes SMACK-366.
This commit is contained in:
parent
042fe3c72c
commit
a1630d033e
18 changed files with 698 additions and 134 deletions
75
documentation/dnssec.md
Normal file
75
documentation/dnssec.md
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
DNSSEC and DANE
|
||||||
|
===============
|
||||||
|
|
||||||
|
[Back](index.md)
|
||||||
|
|
||||||
|
**DNSSEC and DANE support in Smack and MiniDNS is still in its
|
||||||
|
infancy. It should be considered experimental and not ready for
|
||||||
|
production use at this time.** We would like to see more thorough
|
||||||
|
testing and review by the security community. If you can help, then
|
||||||
|
please do not hesitate to contact us.
|
||||||
|
|
||||||
|
About
|
||||||
|
-----
|
||||||
|
|
||||||
|
DNSSEC ([RFC 4033](https://tools.ietf.org/html/rfc4033) and others)
|
||||||
|
authenticates DNS answers, positive and negative ones. This means that
|
||||||
|
if a DNS response secured by DNSSEC turns out to be authentic, then
|
||||||
|
you can be sure that the domain either exists, and that the returned
|
||||||
|
resource records (RRs) are the ones the domain owner authorized, or
|
||||||
|
that the domain does not exists and that nobody tried to fake its non
|
||||||
|
existence.
|
||||||
|
|
||||||
|
The tricky part is that an application using DNSSEC can not determine
|
||||||
|
whether a domain uses DNSSEC, does not use DNSSEC or if someone
|
||||||
|
downgraded your DNS query using DNSSEC to a response without DNSSEC.
|
||||||
|
|
||||||
|
[DANE](https://tools.ietf.org/html/rfc6698) allows the verification of
|
||||||
|
a TLS certificate with information stored in the DNS system and
|
||||||
|
secured by DNSSEC. Thus DANE requires DNSSEC.
|
||||||
|
|
||||||
|
Prerequisites
|
||||||
|
-------------
|
||||||
|
|
||||||
|
From the three DNS resolver providers (MiniDNS, javax, dnsjava)
|
||||||
|
supported by Smack only [MiniDNS](https://github.com/rtreffer/minidns)
|
||||||
|
currently supports DNSSEC. MiniDNS is the default resolver when
|
||||||
|
smack-android is used. For other configurations, make sure to add
|
||||||
|
smack-resolver-minidns to your dependencies and call
|
||||||
|
`MiniDnsResolver.setup()` prior using Smack (e.g. in a `static {}`
|
||||||
|
code block).
|
||||||
|
|
||||||
|
DNSSEC API
|
||||||
|
----------
|
||||||
|
|
||||||
|
Smack's DNSSEC API is very simple: Just use
|
||||||
|
`ConnectionConfiguration.Builder..setDnssecMode(DnssecMode)` to enable
|
||||||
|
DNSSEC. `DnssecMode` can be one of
|
||||||
|
|
||||||
|
- `disabled`
|
||||||
|
- `needsDnssec`
|
||||||
|
- `needsDnssecAndDane`
|
||||||
|
|
||||||
|
The default is `disabled`.
|
||||||
|
|
||||||
|
If `needsDnssec` is used, then Smack will only connect if the DNS
|
||||||
|
results required to determine a host for the XMPP domain could be
|
||||||
|
verified using DNSSEC.
|
||||||
|
|
||||||
|
If `needsDnssecAndDane` then DANE will be used to verify the XMPP
|
||||||
|
service's TLS certificate if STARTTLS is used. Note that you may want
|
||||||
|
to configure
|
||||||
|
`ConnectionConfiguration.Builder.setSecurityMode(SecurityMode.required)`
|
||||||
|
if you use this DNSSEC mode setting.
|
||||||
|
|
||||||
|
Best practices
|
||||||
|
--------------
|
||||||
|
|
||||||
|
We recommend that applications using Smack's DNSSEC API do not ask the
|
||||||
|
user if DNSSEC is avaialble. Instead they should check for DNSSEC
|
||||||
|
suport on every connection attempt. Once DNSSEC support has been
|
||||||
|
discovered, the application should use the `needsDnssec` mode for all
|
||||||
|
future connection attempts. The same scheme can be applied when using
|
||||||
|
DANE. This approach is similar to the scheme established by
|
||||||
|
to
|
||||||
|
["HTTP Strict Transport Security" (HSTS, RFC 6797)](https://tools.ietf.org/html/rfc6797).
|
|
@ -9,6 +9,7 @@
|
||||||
* [Roster and Presence](roster.md)
|
* [Roster and Presence](roster.md)
|
||||||
* [Processing Incoming Stanzas](processing.md)
|
* [Processing Incoming Stanzas](processing.md)
|
||||||
* [Provider Architecture](providers.md)
|
* [Provider Architecture](providers.md)
|
||||||
|
* [DNSSEC and DANE](dnssec.md)
|
||||||
* [Debugging with Smack](debugging.md)
|
* [Debugging with Smack](debugging.md)
|
||||||
|
|
||||||
* [Smack Extensions Manual](extensions/index.md)
|
* [Smack Extensions Manual](extensions/index.md)
|
||||||
|
|
|
@ -586,11 +586,10 @@ public abstract class AbstractXMPPConnection implements XMPPConnection {
|
||||||
// N.B.: Important to use config.serviceName and not AbstractXMPPConnection.serviceName
|
// N.B.: Important to use config.serviceName and not AbstractXMPPConnection.serviceName
|
||||||
if (config.host != null) {
|
if (config.host != null) {
|
||||||
hostAddresses = new ArrayList<HostAddress>(1);
|
hostAddresses = new ArrayList<HostAddress>(1);
|
||||||
HostAddress hostAddress;
|
HostAddress hostAddress = DNSUtil.getDNSResolver().lookupHostAddress(config.host, failedAddresses, config.getDnssecMode());
|
||||||
hostAddress = new HostAddress(config.host, config.port);
|
|
||||||
hostAddresses.add(hostAddress);
|
hostAddresses.add(hostAddress);
|
||||||
} else {
|
} else {
|
||||||
hostAddresses = DNSUtil.resolveXMPPServiceDomain(config.getXMPPServiceDomain().toString(), failedAddresses);
|
hostAddresses = DNSUtil.resolveXMPPServiceDomain(config.getXMPPServiceDomain().toString(), failedAddresses, config.getDnssecMode());
|
||||||
}
|
}
|
||||||
// If we reach this, then hostAddresses *must not* be empty, i.e. there is at least one host added, either the
|
// If we reach this, then hostAddresses *must not* be empty, i.e. there is at least one host added, either the
|
||||||
// config.host one or the host representing the service name by DNSUtil
|
// config.host one or the host representing the service name by DNSUtil
|
||||||
|
|
|
@ -39,6 +39,7 @@ import org.jxmpp.stringprep.XmppStringprepException;
|
||||||
import javax.net.SocketFactory;
|
import javax.net.SocketFactory;
|
||||||
import javax.net.ssl.HostnameVerifier;
|
import javax.net.ssl.HostnameVerifier;
|
||||||
import javax.net.ssl.SSLContext;
|
import javax.net.ssl.SSLContext;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
import javax.security.auth.callback.CallbackHandler;
|
import javax.security.auth.callback.CallbackHandler;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -97,6 +98,10 @@ public abstract class ConnectionConfiguration {
|
||||||
private final boolean legacySessionDisabled;
|
private final boolean legacySessionDisabled;
|
||||||
private final SecurityMode securityMode;
|
private final SecurityMode securityMode;
|
||||||
|
|
||||||
|
private final DnssecMode dnssecMode;
|
||||||
|
|
||||||
|
private final X509TrustManager customX509TrustManager;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
@ -135,6 +140,10 @@ public abstract class ConnectionConfiguration {
|
||||||
proxy = builder.proxy;
|
proxy = builder.proxy;
|
||||||
socketFactory = builder.socketFactory;
|
socketFactory = builder.socketFactory;
|
||||||
|
|
||||||
|
dnssecMode = builder.dnssecMode;
|
||||||
|
|
||||||
|
customX509TrustManager = builder.customX509TrustManager;
|
||||||
|
|
||||||
securityMode = builder.securityMode;
|
securityMode = builder.securityMode;
|
||||||
keystoreType = builder.keystoreType;
|
keystoreType = builder.keystoreType;
|
||||||
keystorePath = builder.keystorePath;
|
keystorePath = builder.keystorePath;
|
||||||
|
@ -151,6 +160,11 @@ public abstract class ConnectionConfiguration {
|
||||||
|
|
||||||
// If the enabledSaslmechanisms are set, then they must not be empty
|
// If the enabledSaslmechanisms are set, then they must not be empty
|
||||||
assert(enabledSaslMechanisms != null ? !enabledSaslMechanisms.isEmpty() : true);
|
assert(enabledSaslMechanisms != null ? !enabledSaslMechanisms.isEmpty() : true);
|
||||||
|
|
||||||
|
if (dnssecMode != DnssecMode.disabled && customSSLContext != null) {
|
||||||
|
throw new IllegalStateException("You can not use a custom SSL context with DNSSEC enabled");
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -183,6 +197,14 @@ public abstract class ConnectionConfiguration {
|
||||||
return securityMode;
|
return securityMode;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public DnssecMode getDnssecMode() {
|
||||||
|
return dnssecMode;
|
||||||
|
}
|
||||||
|
|
||||||
|
public X509TrustManager getCustomX509TrustManager() {
|
||||||
|
return customX509TrustManager;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retuns the path to the keystore file. The key store file contains the
|
* Retuns the path to the keystore file. The key store file contains the
|
||||||
* certificates that may be used to authenticate the client to the server,
|
* certificates that may be used to authenticate the client to the server,
|
||||||
|
@ -342,6 +364,37 @@ public abstract class ConnectionConfiguration {
|
||||||
disabled
|
disabled
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines the requested DNSSEC security mode.
|
||||||
|
* <b>Note that Smack's support for DNSSEC/DANE is experimental!</b>
|
||||||
|
* <p>
|
||||||
|
* The default '{@link #disabled}' means that neither DNSSEC nor DANE verification will be performed. When
|
||||||
|
* '{@link #needsDnssec}' is used, then the connection will not be established if the resource records used to connect
|
||||||
|
* to the XMPP service are not authenticated by DNSSEC. Additionally, if '{@link #needsDnssecAndDane}' is used, then
|
||||||
|
* the XMPP service's TLS certificate is verified using DANE.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public enum DnssecMode {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Do not perform any DNSSEC authentication or DANE verification.
|
||||||
|
*/
|
||||||
|
disabled,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* <b>Experimental!</b>
|
||||||
|
* Require all DNS information to be authenticated by DNSSEC.
|
||||||
|
*/
|
||||||
|
needsDnssec,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* <b>Experimental!</b>
|
||||||
|
* Require all DNS information to be authenticated by DNSSEC and require the XMPP service's TLS certificate to be verified using DANE.
|
||||||
|
*/
|
||||||
|
needsDnssecAndDane,
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the username to use when trying to reconnect to the server.
|
* Returns the username to use when trying to reconnect to the server.
|
||||||
*
|
*
|
||||||
|
@ -437,6 +490,7 @@ public abstract class ConnectionConfiguration {
|
||||||
*/
|
*/
|
||||||
public static abstract class Builder<B extends Builder<B, C>, C extends ConnectionConfiguration> {
|
public static abstract class Builder<B extends Builder<B, C>, C extends ConnectionConfiguration> {
|
||||||
private SecurityMode securityMode = SecurityMode.ifpossible;
|
private SecurityMode securityMode = SecurityMode.ifpossible;
|
||||||
|
private DnssecMode dnssecMode = DnssecMode.disabled;
|
||||||
private String keystorePath = System.getProperty("javax.net.ssl.keyStore");
|
private String keystorePath = System.getProperty("javax.net.ssl.keyStore");
|
||||||
private String keystoreType = "jks";
|
private String keystoreType = "jks";
|
||||||
private String pkcs11Library = "pkcs11.config";
|
private String pkcs11Library = "pkcs11.config";
|
||||||
|
@ -460,6 +514,7 @@ public abstract class ConnectionConfiguration {
|
||||||
private boolean allowEmptyOrNullUsername = false;
|
private boolean allowEmptyOrNullUsername = false;
|
||||||
private boolean saslMechanismsSealed;
|
private boolean saslMechanismsSealed;
|
||||||
private Set<String> enabledSaslMechanisms;
|
private Set<String> enabledSaslMechanisms;
|
||||||
|
private X509TrustManager customX509TrustManager;
|
||||||
|
|
||||||
protected Builder() {
|
protected Builder() {
|
||||||
}
|
}
|
||||||
|
@ -569,6 +624,16 @@ public abstract class ConnectionConfiguration {
|
||||||
return getThis();
|
return getThis();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public B setDnssecMode(DnssecMode dnssecMode) {
|
||||||
|
this.dnssecMode = Objects.requireNonNull(dnssecMode, "DNSSEC mode must not be null");
|
||||||
|
return getThis();
|
||||||
|
}
|
||||||
|
|
||||||
|
public B setCustomX509TrustManager(X509TrustManager x509TrustManager) {
|
||||||
|
this.customX509TrustManager = x509TrustManager;
|
||||||
|
return getThis();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the TLS security mode used when making the connection. By default,
|
* Sets the TLS security mode used when making the connection. By default,
|
||||||
* the mode is {@link SecurityMode#ifpossible}.
|
* the mode is {@link SecurityMode#ifpossible}.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright 2003-2005 Jive Software.
|
* Copyright 2003-2005 Jive Software, 2016 Florian Schmaus.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -25,7 +25,9 @@ import java.util.TreeMap;
|
||||||
import java.util.logging.Level;
|
import java.util.logging.Level;
|
||||||
import java.util.logging.Logger;
|
import java.util.logging.Logger;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
|
||||||
import org.jivesoftware.smack.util.dns.DNSResolver;
|
import org.jivesoftware.smack.util.dns.DNSResolver;
|
||||||
|
import org.jivesoftware.smack.util.dns.SmackDaneProvider;
|
||||||
import org.jivesoftware.smack.util.dns.HostAddress;
|
import org.jivesoftware.smack.util.dns.HostAddress;
|
||||||
import org.jivesoftware.smack.util.dns.SRVRecord;
|
import org.jivesoftware.smack.util.dns.SRVRecord;
|
||||||
|
|
||||||
|
@ -33,11 +35,13 @@ import org.jivesoftware.smack.util.dns.SRVRecord;
|
||||||
* Utility class to perform DNS lookups for XMPP services.
|
* Utility class to perform DNS lookups for XMPP services.
|
||||||
*
|
*
|
||||||
* @author Matt Tucker
|
* @author Matt Tucker
|
||||||
|
* @author Florian Schmaus
|
||||||
*/
|
*/
|
||||||
public class DNSUtil {
|
public class DNSUtil {
|
||||||
|
|
||||||
private static final Logger LOGGER = Logger.getLogger(DNSUtil.class.getName());
|
private static final Logger LOGGER = Logger.getLogger(DNSUtil.class.getName());
|
||||||
private static DNSResolver dnsResolver = null;
|
private static DNSResolver dnsResolver = null;
|
||||||
|
private static SmackDaneProvider daneProvider;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* International Domain Name transformer.
|
* International Domain Name transformer.
|
||||||
|
@ -62,7 +66,7 @@ public class DNSUtil {
|
||||||
* @param resolver
|
* @param resolver
|
||||||
*/
|
*/
|
||||||
public static void setDNSResolver(DNSResolver resolver) {
|
public static void setDNSResolver(DNSResolver resolver) {
|
||||||
dnsResolver = resolver;
|
dnsResolver = Objects.requireNonNull(resolver);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -74,6 +78,23 @@ public class DNSUtil {
|
||||||
return dnsResolver;
|
return dnsResolver;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the DANE provider that should be used when DANE is enabled.
|
||||||
|
*
|
||||||
|
* @param daneProvider
|
||||||
|
*/
|
||||||
|
public static void setDaneProvider(SmackDaneProvider daneProvider) {
|
||||||
|
daneProvider = Objects.requireNonNull(daneProvider);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the currently active DANE provider used when DANE is enabled.
|
||||||
|
*
|
||||||
|
* @return the active DANE provider
|
||||||
|
*/
|
||||||
|
public static SmackDaneProvider getDaneProvider() {
|
||||||
|
return daneProvider;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set the IDNA (Internationalizing Domain Names in Applications, RFC 3490) transformer.
|
* Set the IDNA (Internationalizing Domain Names in Applications, RFC 3490) transformer.
|
||||||
|
@ -109,15 +130,10 @@ public class DNSUtil {
|
||||||
* @return List of HostAddress, which encompasses the hostname and port that the
|
* @return List of HostAddress, which encompasses the hostname and port that the
|
||||||
* XMPP server can be reached at for the specified domain.
|
* XMPP server can be reached at for the specified domain.
|
||||||
*/
|
*/
|
||||||
public static List<HostAddress> resolveXMPPServiceDomain(String domain, List<HostAddress> failedAddresses) {
|
public static List<HostAddress> resolveXMPPServiceDomain(String domain, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
domain = idnaTransformer.transform(domain);
|
domain = idnaTransformer.transform(domain);
|
||||||
if (dnsResolver == null) {
|
|
||||||
LOGGER.warning("No DNS Resolver active in Smack, will be unable to perform DNS SRV lookups");
|
return resolveDomain(domain, DomainType.Client, failedAddresses, dnssecMode);
|
||||||
List<HostAddress> addresses = new ArrayList<HostAddress>(1);
|
|
||||||
addresses.add(new HostAddress(domain, 5222));
|
|
||||||
return addresses;
|
|
||||||
}
|
|
||||||
return resolveDomain(domain, DomainType.Client, failedAddresses);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -134,25 +150,25 @@ public class DNSUtil {
|
||||||
* @return List of HostAddress, which encompasses the hostname and port that the
|
* @return List of HostAddress, which encompasses the hostname and port that the
|
||||||
* XMPP server can be reached at for the specified domain.
|
* XMPP server can be reached at for the specified domain.
|
||||||
*/
|
*/
|
||||||
public static List<HostAddress> resolveXMPPServerDomain(String domain, List<HostAddress> failedAddresses) {
|
public static List<HostAddress> resolveXMPPServerDomain(String domain, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
domain = idnaTransformer.transform(domain);
|
domain = idnaTransformer.transform(domain);
|
||||||
if (dnsResolver == null) {
|
|
||||||
LOGGER.warning("No DNS Resolver active in Smack, will be unable to perform DNS SRV lookups");
|
return resolveDomain(domain, DomainType.Server, failedAddresses, dnssecMode);
|
||||||
List<HostAddress> addresses = new ArrayList<HostAddress>(1);
|
|
||||||
addresses.add(new HostAddress(domain, 5269));
|
|
||||||
return addresses;
|
|
||||||
}
|
|
||||||
return resolveDomain(domain, DomainType.Server, failedAddresses);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @param domain the domain.
|
* @param domain the domain.
|
||||||
* @param domainType the XMPP domain type, server or client.
|
* @param domainType the XMPP domain type, server or client.
|
||||||
* @param failedAddresses on optional list that will be populated with host addresses that failed to resolve.
|
* @param failedAddresses a list that will be populated with host addresses that failed to resolve.
|
||||||
* @return a list of resolver host addresses for this domain.
|
* @return a list of resolver host addresses for this domain.
|
||||||
*/
|
*/
|
||||||
private static List<HostAddress> resolveDomain(String domain, DomainType domainType, List<HostAddress> failedAddresses) {
|
private static List<HostAddress> resolveDomain(String domain, DomainType domainType,
|
||||||
|
List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
|
if (dnsResolver == null) {
|
||||||
|
throw new IllegalStateException("No DNS Resolver active in Smack");
|
||||||
|
}
|
||||||
|
|
||||||
List<HostAddress> addresses = new ArrayList<HostAddress>();
|
List<HostAddress> addresses = new ArrayList<HostAddress>();
|
||||||
|
|
||||||
// Step one: Do SRV lookups
|
// Step one: Do SRV lookups
|
||||||
|
@ -167,8 +183,9 @@ public class DNSUtil {
|
||||||
default:
|
default:
|
||||||
throw new AssertionError();
|
throw new AssertionError();
|
||||||
}
|
}
|
||||||
try {
|
|
||||||
List<SRVRecord> srvRecords = dnsResolver.lookupSRVRecords(srvDomain);
|
List<SRVRecord> srvRecords = dnsResolver.lookupSRVRecords(srvDomain, failedAddresses, dnssecMode);
|
||||||
|
if (srvRecords != null) {
|
||||||
if (LOGGER.isLoggable(Level.FINE)) {
|
if (LOGGER.isLoggable(Level.FINE)) {
|
||||||
String logMessage = "Resolved SRV RR for " + srvDomain + ":";
|
String logMessage = "Resolved SRV RR for " + srvDomain + ":";
|
||||||
for (SRVRecord r : srvRecords)
|
for (SRVRecord r : srvRecords)
|
||||||
|
@ -178,18 +195,12 @@ public class DNSUtil {
|
||||||
List<HostAddress> sortedRecords = sortSRVRecords(srvRecords);
|
List<HostAddress> sortedRecords = sortSRVRecords(srvRecords);
|
||||||
addresses.addAll(sortedRecords);
|
addresses.addAll(sortedRecords);
|
||||||
}
|
}
|
||||||
catch (Exception e) {
|
|
||||||
LOGGER.log(Level.WARNING, "Exception while resovling SRV records for " + domain
|
|
||||||
+ ". Consider adding '_xmpp-(server|client)._tcp' DNS SRV Records", e);
|
|
||||||
if (failedAddresses != null) {
|
|
||||||
HostAddress failedHostAddress = new HostAddress(srvDomain);
|
|
||||||
failedHostAddress.setException(e);
|
|
||||||
failedAddresses.add(failedHostAddress);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Step two: Add the hostname to the end of the list
|
// Step two: Add the hostname to the end of the list
|
||||||
addresses.add(new HostAddress(domain));
|
HostAddress hostAddress = dnsResolver.lookupHostAddress(domain, failedAddresses, dnssecMode);
|
||||||
|
if (hostAddress != null) {
|
||||||
|
addresses.add(hostAddress);
|
||||||
|
}
|
||||||
|
|
||||||
return addresses;
|
return addresses;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright 2013 Florian Schmaus
|
* Copyright 2013-2016 Florian Schmaus
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -16,19 +16,67 @@
|
||||||
*/
|
*/
|
||||||
package org.jivesoftware.smack.util.dns;
|
package org.jivesoftware.smack.util.dns;
|
||||||
|
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.net.UnknownHostException;
|
||||||
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementations of this interface define a class that is capable of resolving DNS addresses.
|
* Implementations of this interface define a class that is capable of resolving DNS addresses.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public interface DNSResolver {
|
public abstract class DNSResolver {
|
||||||
|
|
||||||
|
private final boolean supportsDnssec;
|
||||||
|
|
||||||
|
protected DNSResolver(boolean supportsDnssec) {
|
||||||
|
this.supportsDnssec = supportsDnssec;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets a list of service records for the specified service.
|
* Gets a list of service records for the specified service.
|
||||||
* @param name The symbolic name of the service.
|
* @param name The symbolic name of the service.
|
||||||
* @return The list of SRV records mapped to the service name.
|
* @return The list of SRV records mapped to the service name.
|
||||||
*/
|
*/
|
||||||
List<SRVRecord> lookupSRVRecords(String name) throws Exception;
|
public final List<SRVRecord> lookupSRVRecords(String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
|
checkIfDnssecRequestedAndSupported(dnssecMode);
|
||||||
|
return lookupSRVRecords0(name, failedAddresses, dnssecMode);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract List<SRVRecord> lookupSRVRecords0(String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode);
|
||||||
|
|
||||||
|
public final HostAddress lookupHostAddress(String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
|
checkIfDnssecRequestedAndSupported(dnssecMode);
|
||||||
|
List<InetAddress> inetAddresses = lookupHostAddress0(name, failedAddresses, dnssecMode);
|
||||||
|
if (inetAddresses == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
return new HostAddress(name, inetAddresses);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected List<InetAddress> lookupHostAddress0(String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
|
// Default implementation of a DNS name lookup for A/AAAA records. It is assumed that this method does never
|
||||||
|
// support DNSSEC. Subclasses are free to override this method.
|
||||||
|
if (dnssecMode != DnssecMode.disabled) {
|
||||||
|
throw new UnsupportedOperationException("This resolver does not support DNSSEC");
|
||||||
|
}
|
||||||
|
|
||||||
|
InetAddress[] inetAddressArray;
|
||||||
|
try {
|
||||||
|
inetAddressArray = InetAddress.getAllByName(name);
|
||||||
|
} catch (UnknownHostException e) {
|
||||||
|
failedAddresses.add(new HostAddress(name, e));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
return Arrays.asList(inetAddressArray);
|
||||||
|
}
|
||||||
|
|
||||||
|
private final void checkIfDnssecRequestedAndSupported(DnssecMode dnssecMode) {
|
||||||
|
if (dnssecMode != DnssecMode.disabled && !supportsDnssec) {
|
||||||
|
throw new UnsupportedOperationException("This resolver does not support DNSSEC");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright © 2013-2014 Florian Schmaus
|
* Copyright © 2013-2016 Florian Schmaus
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -20,6 +20,7 @@ import java.net.InetAddress;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.LinkedHashMap;
|
import java.util.LinkedHashMap;
|
||||||
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Map.Entry;
|
import java.util.Map.Entry;
|
||||||
|
|
||||||
|
@ -30,6 +31,7 @@ public class HostAddress {
|
||||||
private final String fqdn;
|
private final String fqdn;
|
||||||
private final int port;
|
private final int port;
|
||||||
private final Map<InetAddress, Exception> exceptions = new LinkedHashMap<>();
|
private final Map<InetAddress, Exception> exceptions = new LinkedHashMap<>();
|
||||||
|
private final List<InetAddress> inetAddresses;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates a new HostAddress with the given FQDN. The port will be set to the default XMPP client port: 5222
|
* Creates a new HostAddress with the given FQDN. The port will be set to the default XMPP client port: 5222
|
||||||
|
@ -37,9 +39,9 @@ public class HostAddress {
|
||||||
* @param fqdn Fully qualified domain name.
|
* @param fqdn Fully qualified domain name.
|
||||||
* @throws IllegalArgumentException If the fqdn is null.
|
* @throws IllegalArgumentException If the fqdn is null.
|
||||||
*/
|
*/
|
||||||
public HostAddress(String fqdn) {
|
public HostAddress(String fqdn, List<InetAddress> inetAddresses) {
|
||||||
// Set port to the default port for XMPP client communication
|
// Set port to the default port for XMPP client communication
|
||||||
this(fqdn, 5222);
|
this(fqdn, 5222, inetAddresses);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -49,7 +51,7 @@ public class HostAddress {
|
||||||
* @param port The port to connect on.
|
* @param port The port to connect on.
|
||||||
* @throws IllegalArgumentException If the fqdn is null or port is out of valid range (0 - 65535).
|
* @throws IllegalArgumentException If the fqdn is null or port is out of valid range (0 - 65535).
|
||||||
*/
|
*/
|
||||||
public HostAddress(String fqdn, int port) {
|
public HostAddress(String fqdn, int port, List<InetAddress> inetAddresses) {
|
||||||
Objects.requireNonNull(fqdn, "FQDN is null");
|
Objects.requireNonNull(fqdn, "FQDN is null");
|
||||||
if (port < 0 || port > 65535)
|
if (port < 0 || port > 65535)
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
|
@ -61,6 +63,24 @@ public class HostAddress {
|
||||||
this.fqdn = fqdn;
|
this.fqdn = fqdn;
|
||||||
}
|
}
|
||||||
this.port = port;
|
this.port = port;
|
||||||
|
if (inetAddresses.isEmpty()) {
|
||||||
|
throw new IllegalArgumentException("Must provide at least one InetAddress");
|
||||||
|
}
|
||||||
|
this.inetAddresses = inetAddresses;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Constructs a new failed HostAddress. This constructor is usually used when the DNS resolution of the domain name
|
||||||
|
* failed for some reason.
|
||||||
|
*
|
||||||
|
* @param fqdn the domain name of the host.
|
||||||
|
* @param e the exception causing the failure.
|
||||||
|
*/
|
||||||
|
public HostAddress(String fqdn, Exception e) {
|
||||||
|
this.fqdn = fqdn;
|
||||||
|
this.port = 5222;
|
||||||
|
inetAddresses = Collections.emptyList();
|
||||||
|
setException(e);
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getFQDN() {
|
public String getFQDN() {
|
||||||
|
@ -91,6 +111,10 @@ public class HostAddress {
|
||||||
return Collections.unmodifiableMap(exceptions);
|
return Collections.unmodifiableMap(exceptions);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public List<InetAddress> getInetAddresses() {
|
||||||
|
return Collections.unmodifiableList(inetAddresses);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return fqdn + ":" + port;
|
return fqdn + ":" + port;
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright 2013-2014 Florian Schmaus
|
* Copyright 2013-2016 Florian Schmaus
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -16,6 +16,9 @@
|
||||||
*/
|
*/
|
||||||
package org.jivesoftware.smack.util.dns;
|
package org.jivesoftware.smack.util.dns;
|
||||||
|
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A DNS SRV RR.
|
* A DNS SRV RR.
|
||||||
*
|
*
|
||||||
|
@ -38,8 +41,8 @@ public class SRVRecord extends HostAddress implements Comparable<SRVRecord> {
|
||||||
* @param weight Relative weight for records with same priority
|
* @param weight Relative weight for records with same priority
|
||||||
* @throws IllegalArgumentException fqdn is null or any other field is not in valid range (0-65535).
|
* @throws IllegalArgumentException fqdn is null or any other field is not in valid range (0-65535).
|
||||||
*/
|
*/
|
||||||
public SRVRecord(String fqdn, int port, int priority, int weight) {
|
public SRVRecord(String fqdn, int port, int priority, int weight, List<InetAddress> inetAddresses) {
|
||||||
super(fqdn, port);
|
super(fqdn, port, inetAddresses);
|
||||||
if (weight < 0 || weight > 65535)
|
if (weight < 0 || weight > 65535)
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
"DNS SRV records weight must be a 16-bit unsiged integer (i.e. between 0-65535. Weight was: "
|
"DNS SRV records weight must be a 16-bit unsiged integer (i.e. between 0-65535. Weight was: "
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* Copyright 2015-2016 Florian Schmaus
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.jivesoftware.smack.util.dns;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementations of this interface define a class that is capable of enabling DANE on a connection.
|
||||||
|
*/
|
||||||
|
public interface SmackDaneProvider {
|
||||||
|
SmackDaneVerifier newInstance();
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* Copyright 2015-2016 Florian Schmaus
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.jivesoftware.smack.util.dns;
|
||||||
|
|
||||||
|
import javax.net.ssl.KeyManager;
|
||||||
|
import javax.net.ssl.SSLContext;
|
||||||
|
import javax.net.ssl.SSLSocket;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
|
import java.security.KeyManagementException;
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
import java.security.cert.CertificateException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementations of this interface define a class that is capable of enabling DANE on a connection.
|
||||||
|
*/
|
||||||
|
public interface SmackDaneVerifier {
|
||||||
|
void init(SSLContext context, KeyManager[] km, X509TrustManager tm, SecureRandom random) throws KeyManagementException;
|
||||||
|
|
||||||
|
void finish(SSLSocket socket) throws CertificateException;
|
||||||
|
}
|
|
@ -18,6 +18,9 @@ package org.jivesoftware.smack;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
|
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.net.UnknownHostException;
|
||||||
|
import java.util.Collections;
|
||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
@ -28,14 +31,20 @@ import org.junit.Test;
|
||||||
public class SmackExceptionTest {
|
public class SmackExceptionTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testConnectionException() {
|
public void testConnectionException() throws UnknownHostException {
|
||||||
List<HostAddress> failedAddresses = new LinkedList<HostAddress>();
|
List<HostAddress> failedAddresses = new LinkedList<HostAddress>();
|
||||||
|
|
||||||
HostAddress hostAddress = new HostAddress("foo.bar.example", 1234);
|
String host = "foo.bar.example";
|
||||||
|
InetAddress inetAddress = InetAddress.getByAddress(host, new byte[] { 0, 0, 0, 0 });
|
||||||
|
List<InetAddress> inetAddresses = Collections.singletonList(inetAddress);
|
||||||
|
HostAddress hostAddress = new HostAddress(host, 1234, inetAddresses);
|
||||||
hostAddress.setException(new Exception("Failed for some reason"));
|
hostAddress.setException(new Exception("Failed for some reason"));
|
||||||
failedAddresses.add(hostAddress);
|
failedAddresses.add(hostAddress);
|
||||||
|
|
||||||
hostAddress = new HostAddress("barz.example", 5678);
|
host = "barz.example";
|
||||||
|
inetAddress = InetAddress.getByAddress(host, new byte[] { 0, 0, 0, 0 });
|
||||||
|
inetAddresses = Collections.singletonList(inetAddress);
|
||||||
|
hostAddress = new HostAddress(host, 5678, inetAddresses);
|
||||||
hostAddress.setException(new Exception("Failed for some other reason"));
|
hostAddress.setException(new Exception("Failed for some other reason"));
|
||||||
failedAddresses.add(hostAddress);
|
failedAddresses.add(hostAddress);
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright 2013-2014 Florian Schmaus
|
* Copyright 2013-2016 Florian Schmaus
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -16,12 +16,15 @@
|
||||||
*/
|
*/
|
||||||
package org.jivesoftware.smack.util.dns.dnsjava;
|
package org.jivesoftware.smack.util.dns.dnsjava;
|
||||||
|
|
||||||
|
import java.net.InetAddress;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
|
||||||
import org.jivesoftware.smack.initializer.SmackInitializer;
|
import org.jivesoftware.smack.initializer.SmackInitializer;
|
||||||
import org.jivesoftware.smack.util.DNSUtil;
|
import org.jivesoftware.smack.util.DNSUtil;
|
||||||
import org.jivesoftware.smack.util.dns.DNSResolver;
|
import org.jivesoftware.smack.util.dns.DNSResolver;
|
||||||
|
import org.jivesoftware.smack.util.dns.HostAddress;
|
||||||
import org.jivesoftware.smack.util.dns.SRVRecord;
|
import org.jivesoftware.smack.util.dns.SRVRecord;
|
||||||
import org.xbill.DNS.Lookup;
|
import org.xbill.DNS.Lookup;
|
||||||
import org.xbill.DNS.Record;
|
import org.xbill.DNS.Record;
|
||||||
|
@ -32,7 +35,7 @@ import org.xbill.DNS.Type;
|
||||||
* This implementation uses the <a href="http://www.dnsjava.org/">dnsjava</a> implementation for resolving DNS addresses.
|
* This implementation uses the <a href="http://www.dnsjava.org/">dnsjava</a> implementation for resolving DNS addresses.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class DNSJavaResolver implements SmackInitializer, DNSResolver {
|
public class DNSJavaResolver extends DNSResolver implements SmackInitializer {
|
||||||
|
|
||||||
private static DNSJavaResolver instance = new DNSJavaResolver();
|
private static DNSJavaResolver instance = new DNSJavaResolver();
|
||||||
|
|
||||||
|
@ -40,11 +43,22 @@ public class DNSJavaResolver implements SmackInitializer, DNSResolver {
|
||||||
return instance;
|
return instance;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public DNSJavaResolver() {
|
||||||
|
super(false);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public List<SRVRecord> lookupSRVRecords(String name) throws TextParseException {
|
protected List<SRVRecord> lookupSRVRecords0(String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
List<SRVRecord> res = new ArrayList<SRVRecord>();
|
List<SRVRecord> res = new ArrayList<SRVRecord>();
|
||||||
|
|
||||||
Lookup lookup = new Lookup(name, Type.SRV);
|
Lookup lookup;
|
||||||
|
try {
|
||||||
|
lookup = new Lookup(name, Type.SRV);
|
||||||
|
}
|
||||||
|
catch (TextParseException e) {
|
||||||
|
throw new IllegalStateException(e);
|
||||||
|
}
|
||||||
|
|
||||||
Record[] recs = lookup.run();
|
Record[] recs = lookup.run();
|
||||||
if (recs == null)
|
if (recs == null)
|
||||||
return res;
|
return res;
|
||||||
|
@ -57,7 +71,12 @@ public class DNSJavaResolver implements SmackInitializer, DNSResolver {
|
||||||
int priority = srvRecord.getPriority();
|
int priority = srvRecord.getPriority();
|
||||||
int weight = srvRecord.getWeight();
|
int weight = srvRecord.getWeight();
|
||||||
|
|
||||||
SRVRecord r = new SRVRecord(host, port, priority, weight);
|
List<InetAddress> hostAddresses = lookupHostAddress0(host, failedAddresses, dnssecMode);
|
||||||
|
if (hostAddresses == null) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
SRVRecord r = new SRVRecord(host, port, priority, weight, hostAddresses);
|
||||||
res.add(r);
|
res.add(r);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright 2013-2014 Florian Schmaus
|
* Copyright 2013-2016 Florian Schmaus
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -16,6 +16,7 @@
|
||||||
*/
|
*/
|
||||||
package org.jivesoftware.smack.util.dns.javax;
|
package org.jivesoftware.smack.util.dns.javax;
|
||||||
|
|
||||||
|
import java.net.InetAddress;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Hashtable;
|
import java.util.Hashtable;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -27,9 +28,11 @@ import javax.naming.directory.Attributes;
|
||||||
import javax.naming.directory.DirContext;
|
import javax.naming.directory.DirContext;
|
||||||
import javax.naming.directory.InitialDirContext;
|
import javax.naming.directory.InitialDirContext;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
|
||||||
import org.jivesoftware.smack.initializer.SmackInitializer;
|
import org.jivesoftware.smack.initializer.SmackInitializer;
|
||||||
import org.jivesoftware.smack.util.DNSUtil;
|
import org.jivesoftware.smack.util.DNSUtil;
|
||||||
import org.jivesoftware.smack.util.dns.DNSResolver;
|
import org.jivesoftware.smack.util.dns.DNSResolver;
|
||||||
|
import org.jivesoftware.smack.util.dns.HostAddress;
|
||||||
import org.jivesoftware.smack.util.dns.SRVRecord;
|
import org.jivesoftware.smack.util.dns.SRVRecord;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -38,7 +41,7 @@ import org.jivesoftware.smack.util.dns.SRVRecord;
|
||||||
* @author Florian Schmaus
|
* @author Florian Schmaus
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class JavaxResolver implements SmackInitializer, DNSResolver {
|
public class JavaxResolver extends DNSResolver implements SmackInitializer {
|
||||||
|
|
||||||
private static JavaxResolver instance;
|
private static JavaxResolver instance;
|
||||||
private static DirContext dirContext;
|
private static DirContext dirContext;
|
||||||
|
@ -71,10 +74,15 @@ public class JavaxResolver implements SmackInitializer, DNSResolver {
|
||||||
DNSUtil.setDNSResolver(getInstance());
|
DNSUtil.setDNSResolver(getInstance());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public JavaxResolver() {
|
||||||
|
super(false);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public List<SRVRecord> lookupSRVRecords(String name) throws NamingException {
|
protected List<SRVRecord> lookupSRVRecords0(String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
List<SRVRecord> res = new ArrayList<SRVRecord>();
|
List<SRVRecord> res = new ArrayList<SRVRecord>();
|
||||||
|
|
||||||
|
try {
|
||||||
Attributes dnsLookup = dirContext.getAttributes(name, new String[] { "SRV" });
|
Attributes dnsLookup = dirContext.getAttributes(name, new String[] { "SRV" });
|
||||||
Attribute srvAttribute = dnsLookup.get("SRV");
|
Attribute srvAttribute = dnsLookup.get("SRV");
|
||||||
if (srvAttribute == null)
|
if (srvAttribute == null)
|
||||||
|
@ -89,9 +97,19 @@ public class JavaxResolver implements SmackInitializer, DNSResolver {
|
||||||
int weight = Integer.parseInt(srvRecordEntries[srvRecordEntries.length - 3]);
|
int weight = Integer.parseInt(srvRecordEntries[srvRecordEntries.length - 3]);
|
||||||
String host = srvRecordEntries[srvRecordEntries.length - 1];
|
String host = srvRecordEntries[srvRecordEntries.length - 1];
|
||||||
|
|
||||||
SRVRecord srvRecord = new SRVRecord(host, port, priority, weight);
|
List<InetAddress> hostAddresses = lookupHostAddress0(host, failedAddresses, dnssecMode);
|
||||||
|
if (hostAddresses == null) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
SRVRecord srvRecord = new SRVRecord(host, port, priority, weight, hostAddresses);
|
||||||
res.add(srvRecord);
|
res.add(srvRecord);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
catch (NamingException e) {
|
||||||
|
throw new IllegalStateException(e);
|
||||||
|
}
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,6 @@ javax.naming API (e.g. Android)."""
|
||||||
|
|
||||||
dependencies {
|
dependencies {
|
||||||
compile project(path: ':smack-core')
|
compile project(path: ':smack-core')
|
||||||
compile 'de.measite.minidns:minidns:[0.1,0.2)'
|
compile 'de.measite.minidns:minidns-hla:0.2.0-beta1'
|
||||||
compile "org.jxmpp:jxmpp-util-cache:$jxmppVersion"
|
compile "org.jxmpp:jxmpp-util-cache:$jxmppVersion"
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* Copyright 2015-2016 Florian Schmaus
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.jivesoftware.smack.util.dns.minidns;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.util.DNSUtil;
|
||||||
|
import org.jivesoftware.smack.util.dns.SmackDaneProvider;
|
||||||
|
import org.jivesoftware.smack.util.dns.SmackDaneVerifier;
|
||||||
|
|
||||||
|
public class MiniDnsDane implements SmackDaneProvider {
|
||||||
|
public static final MiniDnsDane INSTANCE = new MiniDnsDane();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SmackDaneVerifier newInstance() {
|
||||||
|
return new MiniDnsDaneVerifier();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void setup() {
|
||||||
|
DNSUtil.setDaneProvider(INSTANCE);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,76 @@
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* Copyright 2015-2016 Florian Schmaus
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.jivesoftware.smack.util.dns.minidns;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.KeyManagementException;
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
import java.security.cert.CertificateException;
|
||||||
|
import java.util.logging.Level;
|
||||||
|
import java.util.logging.Logger;
|
||||||
|
|
||||||
|
import javax.net.ssl.KeyManager;
|
||||||
|
import javax.net.ssl.SSLContext;
|
||||||
|
import javax.net.ssl.SSLSocket;
|
||||||
|
import javax.net.ssl.TrustManager;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.util.dns.SmackDaneVerifier;
|
||||||
|
|
||||||
|
import de.measite.minidns.dane.DaneVerifier;
|
||||||
|
import de.measite.minidns.dane.ExpectingTrustManager;
|
||||||
|
|
||||||
|
public class MiniDnsDaneVerifier implements SmackDaneVerifier {
|
||||||
|
private static final Logger LOGGER = Logger.getLogger(MiniDnsDaneVerifier.class.getName());
|
||||||
|
|
||||||
|
private static final DaneVerifier VERIFIER = new DaneVerifier();
|
||||||
|
|
||||||
|
private ExpectingTrustManager expectingTrustManager;
|
||||||
|
|
||||||
|
// Package protected constructor. Use MiniDnsDane.newInstance() to create the verifier.
|
||||||
|
MiniDnsDaneVerifier() {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(SSLContext context, KeyManager[] km, X509TrustManager tm, SecureRandom random) throws KeyManagementException {
|
||||||
|
if (expectingTrustManager != null) {
|
||||||
|
throw new IllegalStateException("DaneProvider was initialized before. Use newInstance() instead.");
|
||||||
|
}
|
||||||
|
expectingTrustManager = new ExpectingTrustManager(tm);
|
||||||
|
context.init(km, new TrustManager[]{expectingTrustManager}, random);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void finish(SSLSocket sslSocket) throws CertificateException {
|
||||||
|
if (VERIFIER.verify(sslSocket)) {
|
||||||
|
// DANE verification was the only requirement according to the TLSA RR. We can return here.
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// DANE verification was successful, but according to the TLSA RR we also must perform PKIX validation.
|
||||||
|
if (expectingTrustManager.hasException()) {
|
||||||
|
// PKIX validation has failed. Throw an exception but close the socket first.
|
||||||
|
try {
|
||||||
|
sslSocket.close();
|
||||||
|
} catch (IOException e) {
|
||||||
|
LOGGER.log(Level.FINER, "Closing TLS socket failed", e);
|
||||||
|
}
|
||||||
|
throw expectingTrustManager.getException();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -16,82 +16,148 @@
|
||||||
*/
|
*/
|
||||||
package org.jivesoftware.smack.util.dns.minidns;
|
package org.jivesoftware.smack.util.dns.minidns;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.net.UnknownHostException;
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
|
||||||
import org.jivesoftware.smack.initializer.SmackInitializer;
|
import org.jivesoftware.smack.initializer.SmackInitializer;
|
||||||
import org.jivesoftware.smack.util.DNSUtil;
|
import org.jivesoftware.smack.util.DNSUtil;
|
||||||
import org.jivesoftware.smack.util.dns.DNSResolver;
|
import org.jivesoftware.smack.util.dns.DNSResolver;
|
||||||
|
import org.jivesoftware.smack.util.dns.HostAddress;
|
||||||
import org.jivesoftware.smack.util.dns.SRVRecord;
|
import org.jivesoftware.smack.util.dns.SRVRecord;
|
||||||
import org.jxmpp.util.cache.ExpirationCache;
|
|
||||||
|
|
||||||
import de.measite.minidns.Client;
|
|
||||||
import de.measite.minidns.DNSCache;
|
import de.measite.minidns.DNSCache;
|
||||||
import de.measite.minidns.DNSMessage;
|
import de.measite.minidns.DNSMessage.RESPONSE_CODE;
|
||||||
import de.measite.minidns.Question;
|
import de.measite.minidns.Question;
|
||||||
import de.measite.minidns.Record;
|
import de.measite.minidns.cache.LRUCache;
|
||||||
import de.measite.minidns.Record.CLASS;
|
import de.measite.minidns.dnssec.DNSSECClient;
|
||||||
import de.measite.minidns.Record.TYPE;
|
import de.measite.minidns.hla.ResolutionUnsuccessfulException;
|
||||||
import de.measite.minidns.record.Data;
|
import de.measite.minidns.hla.ResolverApi;
|
||||||
|
import de.measite.minidns.hla.ResolverResult;
|
||||||
|
import de.measite.minidns.record.A;
|
||||||
|
import de.measite.minidns.record.AAAA;
|
||||||
import de.measite.minidns.record.SRV;
|
import de.measite.minidns.record.SRV;
|
||||||
|
import de.measite.minidns.recursive.ReliableDNSClient;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This implementation uses the <a href="https://github.com/rtreffer/minidns/">minidns</a> implementation for
|
* This implementation uses the <a href="https://github.com/rtreffer/minidns/">MiniDNS</a> implementation for
|
||||||
* resolving DNS addresses.
|
* resolving DNS addresses.
|
||||||
*/
|
*/
|
||||||
public class MiniDnsResolver implements SmackInitializer, DNSResolver {
|
public class MiniDnsResolver extends DNSResolver implements SmackInitializer {
|
||||||
|
|
||||||
private static final long ONE_DAY = 24*60*60*1000;
|
private static final MiniDnsResolver INSTANCE = new MiniDnsResolver();
|
||||||
private static final MiniDnsResolver instance = new MiniDnsResolver();
|
|
||||||
private static final ExpirationCache<Question, DNSMessage> cache = new ExpirationCache<Question, DNSMessage>(10, ONE_DAY);
|
|
||||||
private final Client client;
|
|
||||||
|
|
||||||
public MiniDnsResolver() {
|
private static final DNSCache CACHE = new LRUCache(128);
|
||||||
client = new Client(new DNSCache() {
|
|
||||||
|
|
||||||
@Override
|
private static final ResolverApi DNSSEC_RESOLVER = new ResolverApi(new DNSSECClient(CACHE));
|
||||||
public DNSMessage get(Question question) {
|
|
||||||
return cache.get(question);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
private static final ResolverApi NON_DNSSEC_RESOLVER = new ResolverApi(new ReliableDNSClient(CACHE));
|
||||||
public void put(Question question, DNSMessage message) {
|
|
||||||
long expirationTime = ONE_DAY;
|
|
||||||
for (Record record : message.getAnswers()) {
|
|
||||||
if (record.isAnswer(question)) {
|
|
||||||
expirationTime = record.getTtl();
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
cache.put(question, message, expirationTime);
|
|
||||||
}
|
|
||||||
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
public static DNSResolver getInstance() {
|
public static DNSResolver getInstance() {
|
||||||
return instance;
|
return INSTANCE;
|
||||||
|
}
|
||||||
|
|
||||||
|
public MiniDnsResolver() {
|
||||||
|
super(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public List<SRVRecord> lookupSRVRecords(String name) {
|
protected List<SRVRecord> lookupSRVRecords0(final String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
List<SRVRecord> res = new LinkedList<SRVRecord>();
|
final ResolverApi resolver = getResolver(dnssecMode);
|
||||||
DNSMessage message = client.query(name, TYPE.SRV, CLASS.IN);
|
|
||||||
if (message == null) {
|
ResolverResult<SRV> result;
|
||||||
return res;
|
try {
|
||||||
|
result = resolver.resolve(name, SRV.class);
|
||||||
|
} catch (IOException e) {
|
||||||
|
failedAddresses.add(new HostAddress(name, e));
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
for (Record record : message.getAnswers()) {
|
|
||||||
Data data = record.getPayload();
|
// TODO: Use ResolverResult.getResolutionUnsuccessfulException() found in newer MiniDNS versions.
|
||||||
if (!(data instanceof SRV)) {
|
if (!result.wasSuccessful()) {
|
||||||
|
ResolutionUnsuccessfulException resolutionUnsuccessfulException = getExceptionFrom(result);
|
||||||
|
failedAddresses.add(new HostAddress(name, resolutionUnsuccessfulException));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (shouldAbortIfNotAuthentic(name, dnssecMode, result, failedAddresses)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
List<SRVRecord> res = new LinkedList<SRVRecord>();
|
||||||
|
for (SRV srv : result.getAnswers()) {
|
||||||
|
String hostname = srv.name.ace;
|
||||||
|
List<InetAddress> hostAddresses = lookupHostAddress0(hostname, failedAddresses, dnssecMode);
|
||||||
|
if (hostAddresses == null) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
SRV srv = (SRV) data;
|
|
||||||
res.add(new SRVRecord(srv.getName(), srv.getPort(), srv.getPriority(), srv.getWeight()));
|
SRVRecord srvRecord = new SRVRecord(hostname, srv.port, srv.priority, srv.weight, hostAddresses);
|
||||||
|
res.add(srvRecord);
|
||||||
}
|
}
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected List<InetAddress> lookupHostAddress0(final String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
|
||||||
|
final ResolverApi resolver = getResolver(dnssecMode);
|
||||||
|
|
||||||
|
final ResolverResult<A> aResult;
|
||||||
|
final ResolverResult<AAAA> aaaaResult;
|
||||||
|
|
||||||
|
try {
|
||||||
|
aResult = resolver.resolve(name, A.class);
|
||||||
|
aaaaResult = resolver.resolve(name, AAAA.class);
|
||||||
|
} catch (IOException e) {
|
||||||
|
failedAddresses.add(new HostAddress(name, e));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!aResult.wasSuccessful() && !aaaaResult.wasSuccessful()) {
|
||||||
|
// Both results where not successful.
|
||||||
|
failedAddresses.add(new HostAddress(name, getExceptionFrom(aResult)));
|
||||||
|
failedAddresses.add(new HostAddress(name, getExceptionFrom(aaaaResult)));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (shouldAbortIfNotAuthentic(name, dnssecMode, aResult, failedAddresses)
|
||||||
|
|| shouldAbortIfNotAuthentic(name, dnssecMode, aaaaResult, failedAddresses)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
List<InetAddress> inetAddresses = new ArrayList<>(aResult.getAnswers().size()
|
||||||
|
+ aaaaResult.getAnswers().size());
|
||||||
|
|
||||||
|
for (A a : aResult.getAnswers()) {
|
||||||
|
InetAddress inetAddress;
|
||||||
|
try {
|
||||||
|
inetAddress = InetAddress.getByAddress(a.getIp());
|
||||||
|
}
|
||||||
|
catch (UnknownHostException e) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
inetAddresses.add(inetAddress);
|
||||||
|
}
|
||||||
|
for (AAAA aaaa : aaaaResult.getAnswers()) {
|
||||||
|
InetAddress inetAddress;
|
||||||
|
try {
|
||||||
|
inetAddress = InetAddress.getByAddress(name, aaaa.getIp());
|
||||||
|
}
|
||||||
|
catch (UnknownHostException e) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
inetAddresses.add(inetAddress);
|
||||||
|
}
|
||||||
|
|
||||||
|
return inetAddresses;
|
||||||
|
}
|
||||||
|
|
||||||
public static void setup() {
|
public static void setup() {
|
||||||
DNSUtil.setDNSResolver(getInstance());
|
DNSUtil.setDNSResolver(getInstance());
|
||||||
}
|
}
|
||||||
|
@ -99,7 +165,43 @@ public class MiniDnsResolver implements SmackInitializer, DNSResolver {
|
||||||
@Override
|
@Override
|
||||||
public List<Exception> initialize() {
|
public List<Exception> initialize() {
|
||||||
setup();
|
setup();
|
||||||
|
MiniDnsDane.setup();
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static ResolverApi getResolver(DnssecMode dnssecMode) {
|
||||||
|
if (dnssecMode == DnssecMode.disabled) {
|
||||||
|
return NON_DNSSEC_RESOLVER;
|
||||||
|
} else {
|
||||||
|
return DNSSEC_RESOLVER;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static boolean shouldAbortIfNotAuthentic(String name, DnssecMode dnssecMode,
|
||||||
|
ResolverResult<?> result, List<HostAddress> failedAddresses) {
|
||||||
|
switch (dnssecMode) {
|
||||||
|
case needsDnssec:
|
||||||
|
case needsDnssecAndDane:
|
||||||
|
// Check if the result is authentic data, i.e. there a no reasons the result is unverified.
|
||||||
|
// TODO: Use ResolverResult.getDnssecResultNotAuthenticException() of newer MiniDNS versions.
|
||||||
|
if (!result.isAuthenticData()) {
|
||||||
|
Exception exception = new Exception("DNSSEC verification failed: " + result.getUnverifiedReasons().iterator().next().getReasonString());
|
||||||
|
failedAddresses.add(new HostAddress(name, exception));
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case disabled:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
throw new IllegalStateException("Unknown DnssecMode: " + dnssecMode);
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static ResolutionUnsuccessfulException getExceptionFrom(ResolverResult<?> result) {
|
||||||
|
Question question = result.getQuestion();
|
||||||
|
RESPONSE_CODE responseCode = result.getResponseCode();
|
||||||
|
ResolutionUnsuccessfulException resolutionUnsuccessfulException = new ResolutionUnsuccessfulException(question, responseCode);
|
||||||
|
return resolutionUnsuccessfulException;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,6 +19,7 @@ package org.jivesoftware.smack.tcp;
|
||||||
import org.jivesoftware.smack.AbstractConnectionListener;
|
import org.jivesoftware.smack.AbstractConnectionListener;
|
||||||
import org.jivesoftware.smack.AbstractXMPPConnection;
|
import org.jivesoftware.smack.AbstractXMPPConnection;
|
||||||
import org.jivesoftware.smack.ConnectionConfiguration;
|
import org.jivesoftware.smack.ConnectionConfiguration;
|
||||||
|
import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
|
||||||
import org.jivesoftware.smack.ConnectionConfiguration.SecurityMode;
|
import org.jivesoftware.smack.ConnectionConfiguration.SecurityMode;
|
||||||
import org.jivesoftware.smack.StanzaListener;
|
import org.jivesoftware.smack.StanzaListener;
|
||||||
import org.jivesoftware.smack.SmackConfiguration;
|
import org.jivesoftware.smack.SmackConfiguration;
|
||||||
|
@ -72,11 +73,14 @@ import org.jivesoftware.smack.packet.XMPPError;
|
||||||
import org.jivesoftware.smack.proxy.ProxyInfo;
|
import org.jivesoftware.smack.proxy.ProxyInfo;
|
||||||
import org.jivesoftware.smack.util.ArrayBlockingQueueWithShutdown;
|
import org.jivesoftware.smack.util.ArrayBlockingQueueWithShutdown;
|
||||||
import org.jivesoftware.smack.util.Async;
|
import org.jivesoftware.smack.util.Async;
|
||||||
|
import org.jivesoftware.smack.util.DNSUtil;
|
||||||
import org.jivesoftware.smack.util.PacketParserUtils;
|
import org.jivesoftware.smack.util.PacketParserUtils;
|
||||||
import org.jivesoftware.smack.util.StringUtils;
|
import org.jivesoftware.smack.util.StringUtils;
|
||||||
import org.jivesoftware.smack.util.TLSUtils;
|
import org.jivesoftware.smack.util.TLSUtils;
|
||||||
import org.jivesoftware.smack.util.XmlStringBuilder;
|
import org.jivesoftware.smack.util.XmlStringBuilder;
|
||||||
import org.jivesoftware.smack.util.dns.HostAddress;
|
import org.jivesoftware.smack.util.dns.HostAddress;
|
||||||
|
import org.jivesoftware.smack.util.dns.SmackDaneProvider;
|
||||||
|
import org.jivesoftware.smack.util.dns.SmackDaneVerifier;
|
||||||
import org.jxmpp.jid.impl.JidCreate;
|
import org.jxmpp.jid.impl.JidCreate;
|
||||||
import org.jxmpp.jid.parts.Resourcepart;
|
import org.jxmpp.jid.parts.Resourcepart;
|
||||||
import org.jxmpp.stringprep.XmppStringprepException;
|
import org.jxmpp.stringprep.XmppStringprepException;
|
||||||
|
@ -90,6 +94,8 @@ import javax.net.ssl.KeyManager;
|
||||||
import javax.net.ssl.KeyManagerFactory;
|
import javax.net.ssl.KeyManagerFactory;
|
||||||
import javax.net.ssl.SSLContext;
|
import javax.net.ssl.SSLContext;
|
||||||
import javax.net.ssl.SSLSocket;
|
import javax.net.ssl.SSLSocket;
|
||||||
|
import javax.net.ssl.TrustManager;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
import javax.security.auth.callback.Callback;
|
import javax.security.auth.callback.Callback;
|
||||||
import javax.security.auth.callback.CallbackHandler;
|
import javax.security.auth.callback.CallbackHandler;
|
||||||
import javax.security.auth.callback.PasswordCallback;
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
|
@ -107,20 +113,18 @@ import java.lang.reflect.Constructor;
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
import java.net.Socket;
|
import java.net.Socket;
|
||||||
import java.net.UnknownHostException;
|
|
||||||
import java.security.KeyManagementException;
|
import java.security.KeyManagementException;
|
||||||
import java.security.KeyStore;
|
import java.security.KeyStore;
|
||||||
import java.security.KeyStoreException;
|
import java.security.KeyStoreException;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.NoSuchProviderException;
|
import java.security.NoSuchProviderException;
|
||||||
import java.security.Provider;
|
import java.security.Provider;
|
||||||
|
import java.security.SecureRandom;
|
||||||
import java.security.Security;
|
import java.security.Security;
|
||||||
import java.security.UnrecoverableKeyException;
|
import java.security.UnrecoverableKeyException;
|
||||||
import java.security.cert.CertificateException;
|
import java.security.cert.CertificateException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.LinkedHashSet;
|
import java.util.LinkedHashSet;
|
||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
|
@ -559,20 +563,9 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
|
||||||
String host = hostAddress.getFQDN();
|
String host = hostAddress.getFQDN();
|
||||||
int port = hostAddress.getPort();
|
int port = hostAddress.getPort();
|
||||||
if (proxyInfo == null) {
|
if (proxyInfo == null) {
|
||||||
try {
|
inetAddresses = hostAddress.getInetAddresses().iterator();
|
||||||
inetAddresses = Arrays.asList(InetAddress.getAllByName(host)).iterator();
|
assert(inetAddresses.hasNext());
|
||||||
if (!inetAddresses.hasNext()) {
|
|
||||||
// This should not happen
|
|
||||||
LOGGER.warning("InetAddress.getAllByName() returned empty result array.");
|
|
||||||
throw new UnknownHostException(host);
|
|
||||||
}
|
|
||||||
} catch (UnknownHostException e) {
|
|
||||||
hostAddress.setException(e);
|
|
||||||
// TODO: Change to emptyIterator() once Smack's minimum Android SDK level is >= 19.
|
|
||||||
List<InetAddress> emptyInetAddresses = Collections.emptyList();
|
|
||||||
inetAddresses = emptyInetAddresses.iterator();
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
innerloop: while (inetAddresses.hasNext()) {
|
innerloop: while (inetAddresses.hasNext()) {
|
||||||
// Create a *new* Socket before every connection attempt, i.e. connect() call, since Sockets are not
|
// Create a *new* Socket before every connection attempt, i.e. connect() call, since Sockets are not
|
||||||
// re-usable after a failed connection attempt. See also SMACK-724.
|
// re-usable after a failed connection attempt. See also SMACK-724.
|
||||||
|
@ -689,6 +682,18 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
|
||||||
KeyStore ks = null;
|
KeyStore ks = null;
|
||||||
KeyManager[] kms = null;
|
KeyManager[] kms = null;
|
||||||
PasswordCallback pcb = null;
|
PasswordCallback pcb = null;
|
||||||
|
SmackDaneVerifier daneVerifier = null;
|
||||||
|
|
||||||
|
if (config.getDnssecMode() == DnssecMode.needsDnssecAndDane) {
|
||||||
|
SmackDaneProvider daneProvider = DNSUtil.getDaneProvider();
|
||||||
|
if (daneProvider == null) {
|
||||||
|
throw new UnsupportedOperationException("DANE enabled but no SmackDaneProvider configured");
|
||||||
|
}
|
||||||
|
daneVerifier = daneProvider.newInstance();
|
||||||
|
if (daneVerifier == null) {
|
||||||
|
throw new IllegalStateException("DANE requested but DANE provider did not return a DANE verifier");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (context == null) {
|
if (context == null) {
|
||||||
final String keyStoreType = config.getKeystoreType();
|
final String keyStoreType = config.getKeystoreType();
|
||||||
|
@ -753,7 +758,20 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
|
||||||
|
|
||||||
// If the user didn't specify a SSLContext, use the default one
|
// If the user didn't specify a SSLContext, use the default one
|
||||||
context = SSLContext.getInstance("TLS");
|
context = SSLContext.getInstance("TLS");
|
||||||
context.init(kms, null, new java.security.SecureRandom());
|
|
||||||
|
final SecureRandom secureRandom = new java.security.SecureRandom();
|
||||||
|
X509TrustManager customTrustManager = config.getCustomX509TrustManager();
|
||||||
|
|
||||||
|
if (daneVerifier != null) {
|
||||||
|
// User requested DANE verification.
|
||||||
|
daneVerifier.init(context, kms, customTrustManager, secureRandom);
|
||||||
|
} else {
|
||||||
|
TrustManager[] customTrustManagers = null;
|
||||||
|
if (customTrustManager != null) {
|
||||||
|
customTrustManagers = new TrustManager[] { customTrustManager };
|
||||||
|
}
|
||||||
|
context.init(kms, customTrustManagers, secureRandom);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Socket plain = socket;
|
Socket plain = socket;
|
||||||
|
@ -773,6 +791,10 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
|
||||||
// Proceed to do the handshake
|
// Proceed to do the handshake
|
||||||
sslSocket.startHandshake();
|
sslSocket.startHandshake();
|
||||||
|
|
||||||
|
if (daneVerifier != null) {
|
||||||
|
daneVerifier.finish(sslSocket);
|
||||||
|
}
|
||||||
|
|
||||||
final HostnameVerifier verifier = getConfiguration().getHostnameVerifier();
|
final HostnameVerifier verifier = getConfiguration().getHostnameVerifier();
|
||||||
if (verifier == null) {
|
if (verifier == null) {
|
||||||
throw new IllegalStateException("No HostnameVerifier set. Use connectionConfiguration.setHostnameVerifier() to configure.");
|
throw new IllegalStateException("No HostnameVerifier set. Use connectionConfiguration.setHostnameVerifier() to configure.");
|
||||||
|
|
Loading…
Reference in a new issue