From 12d655d4561cfee0103c57e791c59a263863e561 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 9 May 2019 10:58:04 +0200 Subject: [PATCH] doh: disable DOH for the cases it doesn't work Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for DOH resolves. This fix disables DOH for those. Limitation added to KNOWN_BUGS. Fixes #3850 Closes #3857 --- docs/KNOWN_BUGS | 11 +++++++++++ lib/connect.c | 2 +- lib/ftp.c | 6 +++--- lib/hostip.c | 7 ++++--- lib/hostip.h | 7 +++++-- lib/socks.c | 4 ++-- 6 files changed, 26 insertions(+), 11 deletions(-) diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS index 67c7b16611..8431baaf52 100644 --- a/docs/KNOWN_BUGS +++ b/docs/KNOWN_BUGS @@ -19,6 +19,7 @@ problems may have been fixed or changed somewhat since this was written! 1.5 Expect-100 meets 417 1.6 Unnecessary close when 401 received waiting for 100 1.7 Deflate error after all content was received + 1.8 DoH isn't used for all name resolves when enabled 1.9 HTTP/2 frames while in the connection pool kill reuse 1.10 Strips trailing dot from host name 1.11 CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM @@ -166,6 +167,16 @@ problems may have been fixed or changed somewhat since this was written! See https://github.com/curl/curl/issues/2719 +1.8 DoH isn't used for all name resolves when enabled + + Even if DoH is specified to be used, there are some name resolves that are + done without it. This should be fixed. When the internal function + `Curl_resolver_wait_resolv()` is called, it doesn't use DoH to complete the + resolve as it otherwise should. + + See https://github.com/curl/curl/pull/3857 and + https://github.com/curl/curl/pull/3850 + 1.9 HTTP/2 frames while in the connection pool kill reuse If the server sends HTTP/2 frames (like for example an HTTP/2 PING frame) to diff --git a/lib/connect.c b/lib/connect.c index e2d31a9b3c..42e73360ae 100644 --- a/lib/connect.c +++ b/lib/connect.c @@ -357,7 +357,7 @@ static CURLcode bindlocal(struct connectdata *conn, conn->ip_version = CURL_IPRESOLVE_V6; #endif - rc = Curl_resolv(conn, dev, 0, &h); + rc = Curl_resolv(conn, dev, 0, FALSE, &h); if(rc == CURLRESOLV_PENDING) (void)Curl_resolver_wait_resolv(conn, &h); conn->ip_version = ipver; diff --git a/lib/ftp.c b/lib/ftp.c index 825aaaa1d7..5b070101be 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -1080,7 +1080,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, } /* resolv ip/host to ip */ - rc = Curl_resolv(conn, host, 0, &h); + rc = Curl_resolv(conn, host, 0, FALSE, &h); if(rc == CURLRESOLV_PENDING) (void)Curl_resolver_wait_resolv(conn, &h); if(h) { @@ -1934,7 +1934,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, */ const char * const host_name = conn->bits.socksproxy ? conn->socks_proxy.host.name : conn->http_proxy.host.name; - rc = Curl_resolv(conn, host_name, (int)conn->port, &addr); + rc = Curl_resolv(conn, host_name, (int)conn->port, FALSE, &addr); if(rc == CURLRESOLV_PENDING) /* BLOCKING, ignores the return code but 'addr' will be NULL in case of failure */ @@ -1950,7 +1950,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, } else { /* normal, direct, ftp connection */ - rc = Curl_resolv(conn, ftpc->newhost, ftpc->newport, &addr); + rc = Curl_resolv(conn, ftpc->newhost, ftpc->newport, FALSE, &addr); if(rc == CURLRESOLV_PENDING) /* BLOCKING */ (void)Curl_resolver_wait_resolv(conn, &addr); diff --git a/lib/hostip.c b/lib/hostip.c index 365d3c6618..ed00ad5b9a 100644 --- a/lib/hostip.c +++ b/lib/hostip.c @@ -482,6 +482,7 @@ Curl_cache_addr(struct Curl_easy *data, int Curl_resolv(struct connectdata *conn, const char *hostname, int port, + bool allowDOH, struct Curl_dns_entry **entry) { struct Curl_dns_entry *dns = NULL; @@ -527,7 +528,7 @@ int Curl_resolv(struct connectdata *conn, return CURLRESOLV_ERROR; } - if(data->set.doh) { + if(allowDOH && data->set.doh) { addr = Curl_doh(conn, hostname, port, &respwait); } else { @@ -653,7 +654,7 @@ int Curl_resolv_timeout(struct connectdata *conn, if(!timeout) /* USE_ALARM_TIMEOUT defined, but no timeout actually requested */ - return Curl_resolv(conn, hostname, port, entry); + return Curl_resolv(conn, hostname, port, TRUE, entry); if(timeout < 1000) { /* The alarm() function only provides integer second resolution, so if @@ -715,7 +716,7 @@ int Curl_resolv_timeout(struct connectdata *conn, /* Perform the actual name resolution. This might be interrupted by an * alarm if it takes too long. */ - rc = Curl_resolv(conn, hostname, port, entry); + rc = Curl_resolv(conn, hostname, port, TRUE, entry); #ifdef USE_ALARM_TIMEOUT clean_up: diff --git a/lib/hostip.h b/lib/hostip.h index cd43882af6..9dc0d5a177 100644 --- a/lib/hostip.h +++ b/lib/hostip.h @@ -83,8 +83,11 @@ struct Curl_dns_entry { #define CURLRESOLV_ERROR -1 #define CURLRESOLV_RESOLVED 0 #define CURLRESOLV_PENDING 1 -int Curl_resolv(struct connectdata *conn, const char *hostname, - int port, struct Curl_dns_entry **dnsentry); +int Curl_resolv(struct connectdata *conn, + const char *hostname, + int port, + bool allowDOH, + struct Curl_dns_entry **dnsentry); int Curl_resolv_timeout(struct connectdata *conn, const char *hostname, int port, struct Curl_dns_entry **dnsentry, time_t timeoutms); diff --git a/lib/socks.c b/lib/socks.c index c9589bbf9f..d8fcc3bbba 100644 --- a/lib/socks.c +++ b/lib/socks.c @@ -155,7 +155,7 @@ CURLcode Curl_SOCKS4(const char *proxy_user, Curl_addrinfo *hp = NULL; int rc; - rc = Curl_resolv(conn, hostname, remote_port, &dns); + rc = Curl_resolv(conn, hostname, remote_port, FALSE, &dns); if(rc == CURLRESOLV_ERROR) return CURLE_COULDNT_RESOLVE_PROXY; @@ -609,7 +609,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user, else { struct Curl_dns_entry *dns; Curl_addrinfo *hp = NULL; - int rc = Curl_resolv(conn, hostname, remote_port, &dns); + int rc = Curl_resolv(conn, hostname, remote_port, FALSE, &dns); if(rc == CURLRESOLV_ERROR) return CURLE_COULDNT_RESOLVE_HOST;