Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
apk-tools
apk-tools
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 61
    • Issues 61
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 15
    • Merge Requests 15
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • apk-toolsapk-tools
  • Issues
  • #10660

Closed
Open
Opened Sep 13, 2019 by Mario Biberhofer@mbiberhofer

Support for DANE validation (DNS TLSA RRs)

Hey apk-tools community,

This my first appearance on the alpine-linux stage, please bear with my ignorance.

Is there any interest in adding DANE validation support to apk-tools -- more specifically, libfetch? This (usually) implicates usage of an additional external resolver library, like libunbound. (or a custom implementation to fetch TLSA RRs)

I'd be willing to contribute and maintain this feature. See the attached patch for a hackish, ugly PoC approach. It replaces getaddrinfo() with the corresponding libunbound resolve functions and fetches the TLSA records (if any) after we could successfully connect to the server. The records are then added to the SSL connection in fetch_ssl() (if any). I validated that this patch works with DANE-TA type RRs using my personal mirror.

Notes on the patch:

  • the openssl documentation states that if no TLSA records are added using SSL_dane_tlsa_add(), no DANE validation is performed (see SSL_dane_tlsa_add(3)).
  • this patch currently only supports fetching A-Records. IPv6/AAAA RRs are TBD. Also, it surely does not free data correctly and might contain bugs. (I hacked it together in ~1 hour, I hope showing it is not inappropriate) All in all, everyone should press the "unsee" button after viewing it. :-)

Greetings, Mario

apk-tools-gitb45415b1096e76f40b32326d2798123f81fe5976_add-dane-validation-1.diff

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/apk-tools#10660