doh: disable DOH for the cases it doesn't work

Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for DOH resolves. This fix disables DOH for those. Limitation added to KNOWN_BUGS. Fixes #3850 Closes #3857
2024-08-13 17:03:50 -04:00 · 2019-05-09 10:58:04 +02:00 · 2019-05-09 10:58:04 +02:00 · 12d655d456
commit 12d655d456
parent edf2f6a6f6
6 changed files with 26 additions and 11 deletions
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@ -19,6 +19,7 @@ problems may have been fixed or changed somewhat since this was written!
 1.5 Expect-100 meets 417
 1.6 Unnecessary close when 401 received waiting for 100
 1.7 Deflate error after all content was received
+ 1.8 DoH isn't used for all name resolves when enabled
 1.9 HTTP/2 frames while in the connection pool kill reuse
 1.10 Strips trailing dot from host name
 1.11 CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
@ -166,6 +167,16 @@ problems may have been fixed or changed somewhat since this was written!

 See https://github.com/curl/curl/issues/2719

+1.8 DoH isn't used for all name resolves when enabled
+
+ Even if DoH is specified to be used, there are some name resolves that are
+ done without it. This should be fixed. When the internal function
+ `Curl_resolver_wait_resolv()` is called, it doesn't use DoH to complete the
+ resolve as it otherwise should.
+
+ See https://github.com/curl/curl/pull/3857 and
+ https://github.com/curl/curl/pull/3850
+
 1.9 HTTP/2 frames while in the connection pool kill reuse

 If the server sends HTTP/2 frames (like for example an HTTP/2 PING frame) to
--- a/lib/connect.c
+++ b/lib/connect.c
@ -357,7 +357,7 @@ static CURLcode bindlocal(struct connectdata *conn,
        conn->ip_version = CURL_IPRESOLVE_V6;
 #endif

-      rc = Curl_resolv(conn, dev, 0, &h);
+      rc = Curl_resolv(conn, dev, 0, FALSE, &h);
      if(rc == CURLRESOLV_PENDING)
        (void)Curl_resolver_wait_resolv(conn, &h);
      conn->ip_version = ipver;
--- a/lib/ftp.c
+++ b/lib/ftp.c
@ -1080,7 +1080,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn,
  }

  /* resolv ip/host to ip */
-  rc = Curl_resolv(conn, host, 0, &h);
+  rc = Curl_resolv(conn, host, 0, FALSE, &h);
  if(rc == CURLRESOLV_PENDING)
    (void)Curl_resolver_wait_resolv(conn, &h);
  if(h) {
@ -1934,7 +1934,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
     */
    const char * const host_name = conn->bits.socksproxy ?
      conn->socks_proxy.host.name : conn->http_proxy.host.name;
-    rc = Curl_resolv(conn, host_name, (int)conn->port, &addr);
+    rc = Curl_resolv(conn, host_name, (int)conn->port, FALSE, &addr);
    if(rc == CURLRESOLV_PENDING)
      /* BLOCKING, ignores the return code but 'addr' will be NULL in
         case of failure */
@ -1950,7 +1950,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
  }
  else {
    /* normal, direct, ftp connection */
-    rc = Curl_resolv(conn, ftpc->newhost, ftpc->newport, &addr);
+    rc = Curl_resolv(conn, ftpc->newhost, ftpc->newport, FALSE, &addr);
    if(rc == CURLRESOLV_PENDING)
      /* BLOCKING */
      (void)Curl_resolver_wait_resolv(conn, &addr);
--- a/lib/hostip.c
+++ b/lib/hostip.c
@ -482,6 +482,7 @@ Curl_cache_addr(struct Curl_easy *data,
 int Curl_resolv(struct connectdata *conn,
                const char *hostname,
                int port,
+                bool allowDOH,
                struct Curl_dns_entry **entry)
 {
  struct Curl_dns_entry *dns = NULL;
@ -527,7 +528,7 @@ int Curl_resolv(struct connectdata *conn,
        return CURLRESOLV_ERROR;
    }

-    if(data->set.doh) {
+    if(allowDOH && data->set.doh) {
      addr = Curl_doh(conn, hostname, port, &respwait);
    }
    else {
@ -653,7 +654,7 @@ int Curl_resolv_timeout(struct connectdata *conn,

  if(!timeout)
    /* USE_ALARM_TIMEOUT defined, but no timeout actually requested */
-    return Curl_resolv(conn, hostname, port, entry);
+    return Curl_resolv(conn, hostname, port, TRUE, entry);

  if(timeout < 1000) {
    /* The alarm() function only provides integer second resolution, so if
@ -715,7 +716,7 @@ int Curl_resolv_timeout(struct connectdata *conn,
  /* Perform the actual name resolution. This might be interrupted by an
   * alarm if it takes too long.
   */
-  rc = Curl_resolv(conn, hostname, port, entry);
+  rc = Curl_resolv(conn, hostname, port, TRUE, entry);

 #ifdef USE_ALARM_TIMEOUT
 clean_up:
--- a/lib/hostip.h
+++ b/lib/hostip.h
@ -83,8 +83,11 @@ struct Curl_dns_entry {
 #define CURLRESOLV_ERROR    -1
 #define CURLRESOLV_RESOLVED  0
 #define CURLRESOLV_PENDING   1
-int Curl_resolv(struct connectdata *conn, const char *hostname,
-                int port, struct Curl_dns_entry **dnsentry);
+int Curl_resolv(struct connectdata *conn,
+                const char *hostname,
+                int port,
+                bool allowDOH,
+                struct Curl_dns_entry **dnsentry);
 int Curl_resolv_timeout(struct connectdata *conn, const char *hostname,
                        int port, struct Curl_dns_entry **dnsentry,
                        time_t timeoutms);
--- a/lib/socks.c
+++ b/lib/socks.c
@ -155,7 +155,7 @@ CURLcode Curl_SOCKS4(const char *proxy_user,
    Curl_addrinfo *hp = NULL;
    int rc;

-    rc = Curl_resolv(conn, hostname, remote_port, &dns);
+    rc = Curl_resolv(conn, hostname, remote_port, FALSE, &dns);

    if(rc == CURLRESOLV_ERROR)
      return CURLE_COULDNT_RESOLVE_PROXY;
@ -609,7 +609,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
  else {
    struct Curl_dns_entry *dns;
    Curl_addrinfo *hp = NULL;
-    int rc = Curl_resolv(conn, hostname, remote_port, &dns);
+    int rc = Curl_resolv(conn, hostname, remote_port, FALSE, &dns);

    if(rc == CURLRESOLV_ERROR)
      return CURLE_COULDNT_RESOLVE_HOST;