Support for DANE validation (DNS TLSA RRs)
Hey apk-tools community,
This my first appearance on the alpine-linux stage, please bear with my ignorance.
Is there any interest in adding DANE validation support to apk-tools -- more specifically, libfetch? This (usually) implicates usage of an additional external resolver library, like libunbound. (or a custom implementation to fetch TLSA RRs)
I'd be willing to contribute and maintain this feature. See the attached patch for a hackish, ugly PoC approach. It replaces getaddrinfo() with the corresponding libunbound resolve functions and fetches the TLSA records (if any) after we could successfully connect to the server. The records are then added to the SSL connection in fetch_ssl() (if any). I validated that this patch works with DANE-TA type RRs using my personal mirror.
Notes on the patch:
- the openssl documentation states that if no TLSA records are added using SSL_dane_tlsa_add(), no DANE validation is performed (see SSL_dane_tlsa_add(3)).
- this patch currently only supports fetching A-Records. IPv6/AAAA RRs are TBD. Also, it surely does not free data correctly and might contain bugs. (I hacked it together in ~1 hour, I hope showing it is not inappropriate) All in all, everyone should press the "unsee" button after viewing it. :-)