Merge remote-tracking branch 'public/bug19769_19025_029' into maint-0.2.9

  o Major bugfixes (DNS):

    - Fix a bug that prevented exit nodes from caching DNS records for more

      than 60 seconds.

      Fixes bug 19025; bugfix on 0.2.4.7-alpha.

  o Major features (security):

    - Change the algorithm used to decide DNS TTLs on client and server side,

      to better resist DNS-based correlation attacks like the DefecTor attack

      of Greschbach, Pulls, Roberts, Winter, and Feamster).  Now

      relays only return one of two possible DNS TTL values, and clients

      are willing to believe DNS TTL values up to 3 hours long.

      Closes ticket 19769.

}

/** Helper: Given a TTL from a DNS response, determine what TTL to give the

 * OP that asked us to resolve it. */

 * OP that asked us to resolve it, and how long to cache that record

 * ourselves. */

uint32_t

dns_clip_ttl(uint32_t ttl)

{

  if (ttl < MIN_DNS_TTL)

    return MIN_DNS_TTL;

  else if (ttl > MAX_DNS_TTL)

    return MAX_DNS_TTL;

  else

    return ttl;

}

/** Helper: Given a TTL from a DNS response, determine how long to hold it in

 * our cache. */

STATIC uint32_t

dns_get_expiry_ttl(uint32_t ttl)

{

  if (ttl < MIN_DNS_TTL)

    return MIN_DNS_TTL;

  else if (ttl > MAX_DNS_ENTRY_AGE)

    return MAX_DNS_ENTRY_AGE;

  /* This logic is a defense against "DefectTor" DNS-based traffic

   * confirmation attacks, as in https://nymity.ch/tor-dns/tor-dns.pdf .

   * We only give two values: a "low" value and a "high" value.

   */

  if (ttl < MIN_DNS_TTL_AT_EXIT)

    return MIN_DNS_TTL_AT_EXIT;

  else

    return ttl;

    return MAX_DNS_TTL_AT_EXIT;

}

/** Helper: free storage held by an entry in the DNS cache. */

      resolve->result_ipv4.err_ipv4 = dns_result;

      resolve->res_status_ipv4 = RES_STATUS_DONE_ERR;

    }

    resolve->ttl_ipv4 = ttl;

  } else if (query_type == DNS_IPv6_AAAA) {

    if (resolve->res_status_ipv6 != RES_STATUS_INFLIGHT)

      return;

      resolve->result_ipv6.err_ipv6 = dns_result;

      resolve->res_status_ipv6 = RES_STATUS_DONE_ERR;

    }

    resolve->ttl_ipv6 = ttl;

  }

}

        resolve->ttl_hostname < ttl)

      ttl = resolve->ttl_hostname;

    set_expiry(new_resolve, time(NULL) + dns_get_expiry_ttl(ttl));

    set_expiry(new_resolve, time(NULL) + dns_clip_ttl(ttl));

  }

  assert_cache_ok();

#ifndef TOR_DNS_H

#define TOR_DNS_H

/** Lowest value for DNS ttl that a server will give. */

#define MIN_DNS_TTL_AT_EXIT (5*60)

/** Highest value for DNS ttl that a server will give. */

#define MAX_DNS_TTL_AT_EXIT (60*60)

/** How long do we keep DNS cache entries before purging them (regardless of

 * their TTL)? */

#define MAX_DNS_ENTRY_AGE (3*60*60)

/** How long do we cache/tell clients to cache DNS records when no TTL is

 * known? */

#define DEFAULT_DNS_TTL (30*60)

int dns_init(void);

int has_dns_init_failed(void);

void dns_free_all(void);

#ifdef DNS_PRIVATE

#include "dns_structs.h"

STATIC uint32_t dns_get_expiry_ttl(uint32_t ttl);

MOCK_DECL(STATIC int,dns_resolve_impl,(edge_connection_t *exitconn,

int is_resolve,or_circuit_t *oncirc, char **hostname_out,

int *made_connection_pending_out, cached_resolve_t **resolve_out));

/** Maximum size of a single extrainfo document, as above. */

#define MAX_EXTRAINFO_UPLOAD_SIZE 50000

/** How long do we keep DNS cache entries before purging them (regardless of

 * their TTL)? */

#define MAX_DNS_ENTRY_AGE (30*60)

/** How long do we cache/tell clients to cache DNS records when no TTL is

 * known? */

#define DEFAULT_DNS_TTL (30*60)

/** How long can a TTL be before we stop believing it? */

#define MAX_DNS_TTL (3*60*60)

/** How small can a TTL be before we stop believing it?  Provides rudimentary

 * pinning. */

#define MIN_DNS_TTL 60

/** How often do we rotate onion keys? */

#define MIN_ONION_KEY_LIFETIME (7*24*60*60)

/** How often do we rotate TLS contexts? */