diff options
Diffstat (limited to 'src/network/kernel/qdnslookup.cpp')
| -rw-r--r-- | src/network/kernel/qdnslookup.cpp | 556 |
1 files changed, 548 insertions, 8 deletions
diff --git a/src/network/kernel/qdnslookup.cpp b/src/network/kernel/qdnslookup.cpp index c310c7e28e..d8ac95b3ec 100644 --- a/src/network/kernel/qdnslookup.cpp +++ b/src/network/kernel/qdnslookup.cpp @@ -8,15 +8,23 @@ #include <qapplicationstatic.h> #include <qcoreapplication.h> #include <qdatetime.h> +#include <qendian.h> #include <qloggingcategory.h> #include <qrandom.h> +#include <qspan.h> #include <qurl.h> +#if QT_CONFIG(ssl) +# include <qsslsocket.h> +#endif + #include <algorithm> QT_BEGIN_NAMESPACE -static Q_LOGGING_CATEGORY(lcDnsLookup, "qt.network.dnslookup", QtCriticalMsg) +using namespace Qt::StringLiterals; + +Q_STATIC_LOGGING_CATEGORY(lcDnsLookup, "qt.network.dnslookup", QtCriticalMsg) namespace { struct QDnsLookupThreadPool : QThreadPool @@ -159,6 +167,42 @@ static void qt_qdnsservicerecord_sort(QList<QDnsServiceRecord> &records) \note If you simply want to find the IP address(es) associated with a host name, or the host name associated with an IP address you should use QHostInfo instead. + + \section1 DNS-over-TLS and Authentic Data + + QDnsLookup supports DNS-over-TLS (DoT, as specified by \l{RFC 7858}) on + some platforms. That currently includes all Unix platforms where regular + queries are supported, if \l QSslSocket support is present in Qt. To query + if support is present at runtime, use isProtocolSupported(). + + When using DNS-over-TLS, QDnsLookup only implements the "Opportunistic + Privacy Profile" method of authentication, as described in \l{RFC 7858} + section 4.1. In this mode, QDnsLookup (through \l QSslSocket) only + validates that the server presents a certificate that is valid for the + server being connected to. Clients may use setSslConfiguration() to impose + additional restrictions and sslConfiguration() to obtain information after + the query is complete. + + QDnsLookup will request DNS servers queried over TLS to perform + authentication on the data they return. If they confirm the data is valid, + the \l authenticData property will be set to true. QDnsLookup does not + verify the integrity of the data by itself, so applications should only + trust this property on servers they have confirmed through other means to + be trustworthy. + + \section2 Authentic Data without TLS + + QDnsLookup request Authentic Data for any server set with setNameserver(), + even if TLS encryption is not required. This is useful when querying a + caching nameserver on the same host as the application or on a trusted + network. Though similar to the TLS case, the application is responsible for + determining if the server it chose to use is trustworthy, and if the + unencrypted connection cannot be tampered with. + + QDnsLookup obeys the system configuration to request Authentic Data on the + default nameserver (that is, if setNameserver() is not called). This is + currently only supported on Linux systems using glibc 2.31 or later. On any + other systems, QDnsLookup will ignore the AD bit in the query header. */ /*! @@ -213,10 +257,72 @@ static void qt_qdnsservicerecord_sort(QList<QDnsServiceRecord> &records) \value SRV service records. + \value[since 6.8] TLSA TLS association records. + \value TXT text records. */ /*! + \enum QDnsLookup::Protocol + + Indicates the type of DNS server that is being queried. + + \value Standard + Regular, unencrypted DNS, using UDP and falling back to TCP as necessary + (default port: 53) + + \value DnsOverTls + Encrypted DNS over TLS (DoT, as specified by \l{RFC 7858}), over TCP + (default port: 853) + + \sa isProtocolSupported(), nameserverProtocol, setNameserver() +*/ + +/*! + \since 6.8 + + Returns true if DNS queries using \a protocol are supported with QDnsLookup. + + \sa nameserverProtocol +*/ +bool QDnsLookup::isProtocolSupported(Protocol protocol) +{ +#if QT_CONFIG(libresolv) || defined(Q_OS_WIN) + switch (protocol) { + case QDnsLookup::Standard: + return true; + case QDnsLookup::DnsOverTls: +# if QT_CONFIG(ssl) + if (QSslSocket::supportsSsl()) + return true; +# endif + return false; + } +#else + Q_UNUSED(protocol) +#endif + return false; +} + +/*! + \since 6.8 + + Returns the standard (default) port number for the protocol \a protocol. + + \sa isProtocolSupported() +*/ +quint16 QDnsLookup::defaultPortForProtocol(Protocol protocol) noexcept +{ + switch (protocol) { + case QDnsLookup::Standard: + return DnsPort; + case QDnsLookup::DnsOverTls: + return DnsOverTlsPort; + } + return 0; // will probably fail somewhere +} + +/*! \fn void QDnsLookup::finished() This signal is emitted when the reply has finished processing. @@ -270,7 +376,7 @@ QDnsLookup::QDnsLookup(Type type, const QString &name, QObject *parent) */ QDnsLookup::QDnsLookup(Type type, const QString &name, const QHostAddress &nameserver, QObject *parent) - : QDnsLookup(type, name, nameserver, DnsPort, parent) + : QDnsLookup(type, name, nameserver, 0, parent) { } @@ -285,8 +391,9 @@ QDnsLookup::QDnsLookup(Type type, const QString &name, const QHostAddress &names //! [nameserver-port] \note Setting the port number to any value other than the default (53) can cause the name resolution to fail, depending on the operating system - limitations and firewalls. Notably, the Windows API used by QDnsLookup is - unable to handle alternate port numbers. + limitations and firewalls, if the nameserverProtocol() to be used + QDnsLookup::Standard. Notably, the Windows API used by QDnsLookup is unable + to handle alternate port numbers. //! [nameserver-port] */ QDnsLookup::QDnsLookup(Type type, const QString &name, const QHostAddress &nameserver, quint16 port, QObject *parent) @@ -300,6 +407,30 @@ QDnsLookup::QDnsLookup(Type type, const QString &name, const QHostAddress &names } /*! + \since 6.8 + + Constructs a QDnsLookup object to issue a query for \a name of record type + \a type, using the DNS server \a nameserver running on port \a port, and + sets \a parent as the parent object. + + The query will be sent using \a protocol, if supported. Use + isProtocolSupported() to check if it is supported. + + \include qdnslookup.cpp nameserver-port +*/ +QDnsLookup::QDnsLookup(Type type, const QString &name, Protocol protocol, + const QHostAddress &nameserver, quint16 port, QObject *parent) + : QObject(*new QDnsLookupPrivate, parent) +{ + Q_D(QDnsLookup); + d->name = name; + d->type = type; + d->nameserver = nameserver; + d->port = port; + d->protocol = protocol; +} + +/*! Destroys the QDnsLookup object. It is safe to delete a QDnsLookup object even if it is not finished, you @@ -311,6 +442,28 @@ QDnsLookup::~QDnsLookup() } /*! + \since 6.8 + \property QDnsLookup::authenticData + \brief whether the reply was authenticated by the resolver. + + QDnsLookup does not perform the authentication itself. Instead, it trusts + the name server that was queried to perform the authentication and report + it. The application is responsible for determining if any servers it + configured with setNameserver() are trustworthy; if no server was set, + QDnsLookup obeys system configuration on whether responses should be + trusted. + + This property may be set even if error() indicates a resolver error + occurred. + + \sa setNameserver(), nameserverProtocol() +*/ +bool QDnsLookup::isAuthenticData() const +{ + return d_func()->reply.authenticData; +} + +/*! \property QDnsLookup::error \brief the type of error that occurred if the DNS lookup failed, or NoError. */ @@ -416,6 +569,10 @@ QBindable<QHostAddress> QDnsLookup::bindableNameserver() \property QDnsLookup::nameserverPort \since 6.6 \brief the port number of nameserver to use for DNS lookup. + + The value of 0 indicates that QDnsLookup should use the default port for + the nameserverProtocol(). + \include qdnslookup.cpp nameserver-port */ @@ -437,18 +594,44 @@ QBindable<quint16> QDnsLookup::bindableNameserverPort() } /*! + \property QDnsLookup::nameserverProtocol + \since 6.8 + \brief the protocol to use when sending the DNS query + + \sa isProtocolSupported() +*/ +QDnsLookup::Protocol QDnsLookup::nameserverProtocol() const +{ + return d_func()->protocol; +} + +void QDnsLookup::setNameserverProtocol(Protocol protocol) +{ + d_func()->protocol = protocol; +} + +QBindable<QDnsLookup::Protocol> QDnsLookup::bindableNameserverProtocol() +{ + return &d_func()->protocol; +} + +/*! + \fn void QDnsLookup::setNameserver(const QHostAddress &nameserver, quint16 port) \since 6.6 + Sets the nameserver to \a nameserver and the port to \a port. \include qdnslookup.cpp nameserver-port \sa QDnsLookup::nameserver, QDnsLookup::nameserverPort */ -void QDnsLookup::setNameserver(const QHostAddress &nameserver, quint16 port) + +void QDnsLookup::setNameserver(Protocol protocol, const QHostAddress &nameserver, quint16 port) { Qt::beginPropertyUpdateGroup(); setNameserver(nameserver); setNameserverPort(port); + setNameserverProtocol(protocol); Qt::endPropertyUpdateGroup(); } @@ -524,6 +707,46 @@ QList<QDnsTextRecord> QDnsLookup::textRecords() const } /*! + \since 6.8 + Returns the list of TLS association records associated with this lookup. + + According to the standards relating to DNS-based Authentication of Named + Entities (DANE), this field should be ignored and must not be used for + verifying the authentity of a given server if the authenticity of the DNS + reply cannot itself be confirmed. See isAuthenticData() for more + information. + */ +QList<QDnsTlsAssociationRecord> QDnsLookup::tlsAssociationRecords() const +{ + return d_func()->reply.tlsAssociationRecords; +} + +#if QT_CONFIG(ssl) +/*! + \since 6.8 + Sets the \a sslConfiguration to use for outgoing DNS-over-TLS connections. + + \sa sslConfiguration(), QSslSocket::setSslConfiguration() +*/ +void QDnsLookup::setSslConfiguration(const QSslConfiguration &sslConfiguration) +{ + Q_D(QDnsLookup); + d->sslConfiguration.emplace(sslConfiguration); +} + +/*! + Returns the current SSL configuration. + + \sa setSslConfiguration() +*/ +QSslConfiguration QDnsLookup::sslConfiguration() const +{ + const Q_D(QDnsLookup); + return d->sslConfiguration.value_or(QSslConfiguration::defaultConfiguration()); +} +#endif + +/*! Aborts the DNS lookup operation. If the lookup is already finished, does nothing. @@ -565,6 +788,9 @@ void QDnsLookup::lookup() #ifdef QDNSLOOKUP_DEBUG qDebug("DNS reply for %s: %i (%s)", qPrintable(d->name), reply.error, qPrintable(reply.errorString)); #endif +#if QT_CONFIG(ssl) + d->sslConfiguration = std::move(reply.sslConfiguration); +#endif d->reply = reply; d->runnable = nullptr; d->isFinished = true; @@ -1052,6 +1278,223 @@ QDnsTextRecord &QDnsTextRecord::operator=(const QDnsTextRecord &other) very fast and never fails. */ +/*! + \class QDnsTlsAssociationRecord + \since 6.8 + \brief The QDnsTlsAssociationRecord class stores information about a DNS TLSA record. + + \inmodule QtNetwork + \ingroup network + \ingroup shared + + When performing a text lookup, zero or more records will be returned. Each + record is represented by a QDnsTlsAssociationRecord instance. + + The meaning of the fields is defined in \l{RFC 6698}. + + \sa QDnsLookup +*/ + +QT_DEFINE_QSDP_SPECIALIZATION_DTOR(QDnsTlsAssociationRecordPrivate) + +/*! + \enum QDnsTlsAssociationRecord::CertificateUsage + + This enumeration contains valid values for the certificate usage field of + TLS Association queries. The following list is up-to-date with \l{RFC 6698} + section 2.1.1 and RFC 7218 section 2.1. Please refer to those documents for + authoritative instructions on interpreting this enumeration. + + \value CertificateAuthorityConstrait + Indicates the record includes an association to a specific Certificate + Authority that must be found in the TLS server's certificate chain and + must pass PKIX validation. + + \value ServiceCertificateConstraint + Indicates the record includes an association to a certificate that must + match the end entity certificate provided by the TLS server and must + pass PKIX validation. + + \value TrustAnchorAssertion + Indicates the record includes an association to a certificate that MUST + be used as the ultimate trust anchor to validate the TLS server's + certificate and must pass PKIX validation. + + \value DomainIssuedCertificate + Indicates the record includes an association to a certificate that must + match the end entity certificate provided by the TLS server. PKIX + validation is not tested. + + \value PrivateUse + No standard meaning applied. + + \value PKIX_TA + Alias; mnemonic for Public Key Infrastructure Trust Anchor + + \value PKIX_EE + Alias; mnemonic for Public Key Infrastructure End Entity + + \value DANE_TA + Alias; mnemonic for DNS-based Authentication of Named Entities Trust Anchor + + \value DANE_EE + Alias; mnemonic for DNS-based Authentication of Named Entities End Entity + + \value PrivCert + Alias + + Other values are currently reserved, but may be unreserved by future + standards. This enumeration can be used for those values even if no + enumerator is provided. + + \sa certificateUsage() +*/ + +/*! + \enum QDnsTlsAssociationRecord::Selector + + This enumeration contains valid values for the selector field of TLS + Association queries. The following list is up-to-date with \l{RFC 6698} + section 2.1.2 and RFC 7218 section 2.2. Please refer to those documents for + authoritative instructions on interpreting this enumeration. + + \value FullCertificate + Indicates this record refers to the full certificate in its binary + structure form. + + \value SubjectPublicKeyInfo + Indicates the record refers to the certificate's subject and public + key information, in DER-encoded binary structure form. + + \value PrivateUse + No standard meaning applied. + + \value Cert + Alias + + \value SPKI + Alias + + \value PrivSel + Alias + + Other values are currently reserved, but may be unreserved by future + standards. This enumeration can be used for those values even if no + enumerator is provided. + + \sa selector() +*/ + +/*! + \enum QDnsTlsAssociationRecord::MatchingType + + This enumeration contains valid values for the matching type field of TLS + Association queries. The following list is up-to-date with \l{RFC 6698} + section 2.1.3 and RFC 7218 section 2.3. Please refer to those documents for + authoritative instructions on interpreting this enumeration. + + \value Exact + Indicates this the certificate or SPKI data is stored verbatim in this + record. + + \value Sha256 + Indicates this a SHA-256 checksum of the the certificate or SPKI data + present in this record. + + \value Sha512 + Indicates this a SHA-512 checksum of the the certificate or SPKI data + present in this record. + + \value PrivateUse + No standard meaning applied. + + \value PrivMatch + Alias + + Other values are currently reserved, but may be unreserved by future + standards. This enumeration can be used for those values even if no + enumerator is provided. + + \sa matchingType() +*/ + +/*! + Constructs an empty TLS Association record. + */ +QDnsTlsAssociationRecord::QDnsTlsAssociationRecord() + : d(new QDnsTlsAssociationRecordPrivate) +{ +} + +/*! + Constructs a copy of \a other. + */ +QDnsTlsAssociationRecord::QDnsTlsAssociationRecord(const QDnsTlsAssociationRecord &other) = default; + +/*! + Moves the content of \a other into this object. + */ +QDnsTlsAssociationRecord & +QDnsTlsAssociationRecord::operator=(const QDnsTlsAssociationRecord &other) = default; + +/*! + Destroys this TLS Association record object. + */ +QDnsTlsAssociationRecord::~QDnsTlsAssociationRecord() = default; + +/*! + Returns the name of this record. +*/ +QString QDnsTlsAssociationRecord::name() const +{ + return d->name; +} + +/*! + Returns the duration in seconds for which this record is valid. +*/ +quint32 QDnsTlsAssociationRecord::timeToLive() const +{ + return d->timeToLive; +} + +/*! + Returns the certificate usage field for this record. + */ +QDnsTlsAssociationRecord::CertificateUsage QDnsTlsAssociationRecord::usage() const +{ + return d->usage; +} + +/*! + Returns the selector field for this record. + */ +QDnsTlsAssociationRecord::Selector QDnsTlsAssociationRecord::selector() const +{ + return d->selector; +} + +/*! + Returns the match type field for this record. + */ +QDnsTlsAssociationRecord::MatchingType QDnsTlsAssociationRecord::matchType() const +{ + return d->matchType; +} + +/*! + Returns the binary data field for this record. The interpretation of this + binary data depends on the three numeric fields provided by + certificateUsage(), selector(), and matchType(). + + Do note this is a binary field, even for the checksums, similar to what + QCyrptographicHash::result() returns. + */ +QByteArray QDnsTlsAssociationRecord::value() const +{ + return d->value; +} + static QDnsLookupRunnable::EncodedLabel encodeLabel(const QString &label) { QDnsLookupRunnable::EncodedLabel::value_type rootDomain = u'.'; @@ -1070,8 +1513,14 @@ inline QDnsLookupRunnable::QDnsLookupRunnable(const QDnsLookupPrivate *d) : requestName(encodeLabel(d->name)), nameserver(d->nameserver), requestType(d->type), - port(d->port) + port(d->port), + protocol(d->protocol) { + if (port == 0) + port = QDnsLookup::defaultPortForProtocol(protocol); +#if QT_CONFIG(ssl) + sslConfiguration = d->sslConfiguration; +#endif } void QDnsLookupRunnable::run() @@ -1120,12 +1569,103 @@ inline QDebug operator<<(QDebug &d, QDnsLookupRunnable *r) if (r->requestName.size() > MaxDomainNameLength) d << "... (truncated)"; d << " type " << r->requestType; - if (!r->nameserver.isNull()) + if (!r->nameserver.isNull()) { d << " to nameserver " << qUtf16Printable(r->nameserver.toString()) - << " port " << (r->port ? r->port : DnsPort); + << " port " << (r->port ? r->port : QDnsLookup::defaultPortForProtocol(r->protocol)); + switch (r->protocol) { + case QDnsLookup::Standard: + break; + case QDnsLookup::DnsOverTls: + d << " (TLS)"; + } + } return d; } +#if QT_CONFIG(ssl) +static constexpr std::chrono::milliseconds DnsOverTlsConnectTimeout(15'000); +static constexpr std::chrono::milliseconds DnsOverTlsTimeout(120'000); +static constexpr quint8 DnsAuthenticDataBit = 0x20; + +static int makeReplyErrorFromSocket(QDnsLookupReply *reply, const QAbstractSocket *socket) +{ + QDnsLookup::Error error = [&] { + switch (socket->error()) { + case QAbstractSocket::SocketTimeoutError: + case QAbstractSocket::ProxyConnectionTimeoutError: + return QDnsLookup::TimeoutError; + default: + return QDnsLookup::ResolverError; + } + }(); + reply->setError(error, socket->errorString()); + return false; +} + +bool QDnsLookupRunnable::sendDnsOverTls(QDnsLookupReply *reply, QSpan<unsigned char> query, + ReplyBuffer &response) +{ + QSslSocket socket; + socket.setSslConfiguration(sslConfiguration.value_or(QSslConfiguration::defaultConfiguration())); + +# if QT_CONFIG(networkproxy) + socket.setProtocolTag("domain-s"_L1); +# endif + + // Request the name server attempt to authenticate the reply. + query[3] |= DnsAuthenticDataBit; + + do { + quint16 size = qToBigEndian<quint16>(query.size()); + QDeadlineTimer timeout(DnsOverTlsTimeout); + + socket.connectToHostEncrypted(nameserver.toString(), port); + socket.write(reinterpret_cast<const char *>(&size), sizeof(size)); + socket.write(reinterpret_cast<const char *>(query.data()), query.size()); + if (!socket.waitForEncrypted(DnsOverTlsConnectTimeout.count())) + break; + + reply->sslConfiguration = socket.sslConfiguration(); + + // accumulate reply + auto waitForBytes = [&](void *buffer, int count) { + int remaining = timeout.remainingTime(); + while (remaining >= 0 && socket.bytesAvailable() < count) { + if (!socket.waitForReadyRead(remaining)) + return false; + } + return socket.read(static_cast<char *>(buffer), count) == count; + }; + if (!waitForBytes(&size, sizeof(size))) + break; + + // note: strictly speaking, we're allocating memory based on untrusted data + // but in practice, due to limited range of the data type (16 bits), + // the maximum allocation is small. + size = qFromBigEndian(size); + response.resize(size); + if (waitForBytes(response.data(), size)) { + // check if the AD bit is set; we'll trust it over TLS requests + if (size >= 4) + reply->authenticData = response[3] & DnsAuthenticDataBit; + return true; + } + } while (false); + + // handle errors + return makeReplyErrorFromSocket(reply, &socket); +} +#else +bool QDnsLookupRunnable::sendDnsOverTls(QDnsLookupReply *reply, QSpan<unsigned char> query, + ReplyBuffer &response) +{ + Q_UNUSED(query) + Q_UNUSED(response) + reply->setError(QDnsLookup::ResolverError, QDnsLookup::tr("SSL/TLS support not present")); + return false; +} +#endif + QT_END_NAMESPACE #include "moc_qdnslookup.cpp" |