Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / packages / modules / DnsResolver / refs/heads/odm/rc/qssi/12/fp4 / . / PrivateDnsConfiguration.cpp
blob: b09c7ce390a166d12e1666103dd3c33a00ec2057 [file] [log] [blame]
/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "resolv"
#include "PrivateDnsConfiguration.h"
#include <android-base/format.h>
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <netdutils/ThreadUtil.h>
#include <sys/socket.h>
#include "DnsTlsTransport.h"
#include "ResolverEventReporter.h"
#include "netd_resolv/resolv.h"
#include "util.h"
using aidl::android::net::resolv::aidl::IDnsResolverUnsolicitedEventListener;
using aidl::android::net::resolv::aidl::PrivateDnsValidationEventParcel;
using android::base::StringPrintf;
using android::netdutils::setThreadName;
using std::chrono::milliseconds;
namespace android {
namespace net {
bool parseServer(const char* server, sockaddr_storage* parsed) {
addrinfo hints = {
.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV,
.ai_family = AF_UNSPEC,
};
addrinfo* res;
int err = getaddrinfo(server, "853", &hints, &res);
if (err != 0) {
LOG(WARNING) << "Failed to parse server address (" << server << "): " << gai_strerror(err);
return false;
}
memcpy(parsed, res->ai_addr, res->ai_addrlen);
freeaddrinfo(res);
return true;
}
int PrivateDnsConfiguration::set(int32_t netId, uint32_t mark,
const std::vector<std::string>& servers, const std::string& name,
const std::string& caCert) {
LOG(DEBUG) << "PrivateDnsConfiguration::set(" << netId << ", 0x" << std::hex << mark << std::dec
<< ", " << servers.size() << ", " << name << ")";
// Parse the list of servers that has been passed in
PrivateDnsTracker tmp;
for (const auto& s : servers) {
sockaddr_storage parsed;
if (!parseServer(s.c_str(), &parsed)) {
return -EINVAL;
}
auto server = std::make_unique<DnsTlsServer>(parsed);
server->name = name;
server->certificate = caCert;
server->mark = mark;
tmp[ServerIdentity(*server)] = std::move(server);
}
std::lock_guard guard(mPrivateDnsLock);
if (!name.empty()) {
mPrivateDnsModes[netId] = PrivateDnsMode::STRICT;
} else if (!tmp.empty()) {
mPrivateDnsModes[netId] = PrivateDnsMode::OPPORTUNISTIC;
} else {
mPrivateDnsModes[netId] = PrivateDnsMode::OFF;
mPrivateDnsTransports.erase(netId);
// TODO: signal validation threads to stop.
return 0;
}
// Create the tracker if it was not present
auto& tracker = mPrivateDnsTransports[netId];
// Add the servers if not contained in tracker.
for (auto& [identity, server] : tmp) {
if (tracker.find(identity) == tracker.end()) {
tracker[identity] = std::move(server);
}
}
for (auto& [identity, server] : tracker) {
const bool active = tmp.find(identity) != tmp.end();
server->setActive(active);
// For simplicity, deem the validation result of inactive servers as unreliable.
if (!server->active() && server->validationState() == Validation::success) {
updateServerState(identity, Validation::success_but_expired, netId);
}
if (needsValidation(*server)) {
updateServerState(identity, Validation::in_process, netId);
startValidation(identity, netId, false);
}
}
return 0;
}
PrivateDnsStatus PrivateDnsConfiguration::getStatus(unsigned netId) const {
PrivateDnsStatus status{PrivateDnsMode::OFF, {}};
std::lock_guard guard(mPrivateDnsLock);
const auto mode = mPrivateDnsModes.find(netId);
if (mode == mPrivateDnsModes.end()) return status;
status.mode = mode->second;
const auto netPair = mPrivateDnsTransports.find(netId);
if (netPair != mPrivateDnsTransports.end()) {
for (const auto& [_, server] : netPair->second) {
if (server->isDot() && server->active()) {
DnsTlsServer& dotServer = *static_cast<DnsTlsServer*>(server.get());
status.serversMap.emplace(dotServer, server->validationState());
}
// TODO: also add DoH server to the map.
}
}
return status;
}
void PrivateDnsConfiguration::clear(unsigned netId) {
LOG(DEBUG) << "PrivateDnsConfiguration::clear(" << netId << ")";
std::lock_guard guard(mPrivateDnsLock);
mPrivateDnsModes.erase(netId);
mPrivateDnsTransports.erase(netId);
}
base::Result<void> PrivateDnsConfiguration::requestValidation(unsigned netId,
const ServerIdentity& identity,
uint32_t mark) {
std::lock_guard guard(mPrivateDnsLock);
// Running revalidation requires to mark the server as in_process, which means the server
// won't be used until the validation passes. It's necessary and safe to run revalidation
// when in private DNS opportunistic mode, because there's a fallback mechanics even if
// all of the private DNS servers are in in_process state.
if (auto it = mPrivateDnsModes.find(netId); it == mPrivateDnsModes.end()) {
return Errorf("NetId not found in mPrivateDnsModes");
} else if (it->second != PrivateDnsMode::OPPORTUNISTIC) {
return Errorf("Private DNS setting is not opportunistic mode");
}
auto result = getPrivateDnsLocked(identity, netId);
if (!result.ok()) {
return result.error();
}
const IPrivateDnsServer* server = result.value();
if (!server->active()) return Errorf("Server is not active");
if (server->validationState() != Validation::success) {
return Errorf("Server validation state mismatched");
}
// Don't run the validation if |mark| (from android_net_context.dns_mark) is different.
// This is to protect validation from running on unexpected marks.
// Validation should be associated with a mark gotten by system permission.
if (server->validationMark() != mark) return Errorf("Socket mark mismatched");
updateServerState(identity, Validation::in_process, netId);
startValidation(identity, netId, true);
return {};
}
void PrivateDnsConfiguration::startValidation(const ServerIdentity& identity, unsigned netId,
bool isRevalidation) {
// This ensures that the thread sends probe at least once in case
// the server is removed before the thread starts running.
// TODO: consider moving these code to the thread.
const auto result = getPrivateDnsLocked(identity, netId);
if (!result.ok()) return;
DnsTlsServer server = *static_cast<const DnsTlsServer*>(result.value());
std::thread validate_thread([this, identity, server, netId, isRevalidation] {
setThreadName(StringPrintf("TlsVerify_%u", netId).c_str());
// cat /proc/sys/net/ipv4/tcp_syn_retries yields "6".
//
// Start with a 1 minute delay and backoff to once per hour.
//
// Assumptions:
// [1] Each TLS validation is ~10KB of certs+handshake+payload.
// [2] Network typically provision clients with <=4 nameservers.
// [3] Average month has 30 days.
//
// Each validation pass in a given hour is ~1.2MB of data. And 24
// such validation passes per day is about ~30MB per month, in the
// worst case. Otherwise, this will cost ~600 SYNs per month
// (6 SYNs per ip, 4 ips per validation pass, 24 passes per day).
auto backoff = mBackoffBuilder.build();
while (true) {
// ::validate() is a blocking call that performs network operations.
// It can take milliseconds to minutes, up to the SYN retry limit.
LOG(WARNING) << "Validating DnsTlsServer " << server.toIpString() << " with mark 0x"
<< std::hex << server.validationMark();
const bool success = DnsTlsTransport::validate(server, server.validationMark());
LOG(WARNING) << "validateDnsTlsServer returned " << success << " for "
<< server.toIpString();
const bool needs_reeval =
this->recordPrivateDnsValidation(identity, netId, success, isRevalidation);
if (!needs_reeval) {
break;
}
if (backoff.hasNextTimeout()) {
// TODO: make the thread able to receive signals to shutdown early.
std::this_thread::sleep_for(backoff.getNextTimeout());
} else {
break;
}
}
});
validate_thread.detach();
}
void PrivateDnsConfiguration::sendPrivateDnsValidationEvent(const ServerIdentity& identity,
unsigned netId, bool success) {
LOG(DEBUG) << "Sending validation " << (success ? "success" : "failure") << " event on netId "
<< netId << " for " << identity.sockaddr.ip().toString() << " with hostname {"
<< identity.provider << "}";
// Send a validation event to NetdEventListenerService.
const auto& listeners = ResolverEventReporter::getInstance().getListeners();
if (listeners.empty()) {
LOG(ERROR)
<< "Validation event not sent since no INetdEventListener receiver is available.";
}
for (const auto& it : listeners) {
it->onPrivateDnsValidationEvent(netId, identity.sockaddr.ip().toString(), identity.provider,
success);
}
// Send a validation event to unsolicited event listeners.
const auto& unsolEventListeners = ResolverEventReporter::getInstance().getUnsolEventListeners();
const PrivateDnsValidationEventParcel validationEvent = {
.netId = static_cast<int32_t>(netId),
.ipAddress = identity.sockaddr.ip().toString(),
.hostname = identity.provider,
.validation = success ? IDnsResolverUnsolicitedEventListener::VALIDATION_RESULT_SUCCESS
: IDnsResolverUnsolicitedEventListener::VALIDATION_RESULT_FAILURE,
};
for (const auto& it : unsolEventListeners) {
it->onPrivateDnsValidationEvent(validationEvent);
}
}
bool PrivateDnsConfiguration::recordPrivateDnsValidation(const ServerIdentity& identity,
unsigned netId, bool success,
bool isRevalidation) {
constexpr bool NEEDS_REEVALUATION = true;
constexpr bool DONT_REEVALUATE = false;
std::lock_guard guard(mPrivateDnsLock);
auto netPair = mPrivateDnsTransports.find(netId);
if (netPair == mPrivateDnsTransports.end()) {
LOG(WARNING) << "netId " << netId << " was erased during private DNS validation";
notifyValidationStateUpdate(identity.sockaddr, Validation::fail, netId);
return DONT_REEVALUATE;
}
const auto mode = mPrivateDnsModes.find(netId);
if (mode == mPrivateDnsModes.end()) {
LOG(WARNING) << "netId " << netId << " has no private DNS validation mode";
notifyValidationStateUpdate(identity.sockaddr, Validation::fail, netId);
return DONT_REEVALUATE;
}
bool reevaluationStatus = NEEDS_REEVALUATION;
if (success) {
reevaluationStatus = DONT_REEVALUATE;
} else if (mode->second == PrivateDnsMode::OFF) {
reevaluationStatus = DONT_REEVALUATE;
} else if (mode->second == PrivateDnsMode::OPPORTUNISTIC && !isRevalidation) {
reevaluationStatus = DONT_REEVALUATE;
}
auto& tracker = netPair->second;
auto serverPair = tracker.find(identity);
if (serverPair == tracker.end()) {
LOG(WARNING) << "Server " << identity.sockaddr.ip().toString()
<< " was removed during private DNS validation";
success = false;
reevaluationStatus = DONT_REEVALUATE;
} else if (!serverPair->second->active()) {
LOG(WARNING) << "Server " << identity.sockaddr.ip().toString()
<< " was removed from the configuration";
success = false;
reevaluationStatus = DONT_REEVALUATE;
}
// Send private dns validation result to listeners.
sendPrivateDnsValidationEvent(identity, netId, success);
if (success) {
updateServerState(identity, Validation::success, netId);
} else {
// Validation failure is expected if a user is on a captive portal.
// TODO: Trigger a second validation attempt after captive portal login
// succeeds.
const auto result = (reevaluationStatus == NEEDS_REEVALUATION) ? Validation::in_process
: Validation::fail;
updateServerState(identity, result, netId);
}
LOG(WARNING) << "Validation " << (success ? "success" : "failed");
return reevaluationStatus;
}
void PrivateDnsConfiguration::updateServerState(const ServerIdentity& identity, Validation state,
uint32_t netId) {
const auto result = getPrivateDnsLocked(identity, netId);
if (!result.ok()) {
notifyValidationStateUpdate(identity.sockaddr, Validation::fail, netId);
return;
}
auto* server = result.value();
server->setValidationState(state);
notifyValidationStateUpdate(identity.sockaddr, state, netId);
RecordEntry record(netId, identity, state);
mPrivateDnsLog.push(std::move(record));
}
bool PrivateDnsConfiguration::needsValidation(const IPrivateDnsServer& server) const {
// The server is not expected to be used on the network.
if (!server.active()) return false;
// The server is newly added.
if (server.validationState() == Validation::unknown_server) return true;
// The server has failed at least one validation attempt. Give it another try.
if (server.validationState() == Validation::fail) return true;
// The previous validation result might be unreliable.
if (server.validationState() == Validation::success_but_expired) return true;
return false;
}
base::Result<IPrivateDnsServer*> PrivateDnsConfiguration::getPrivateDns(
const ServerIdentity& identity, unsigned netId) {
std::lock_guard guard(mPrivateDnsLock);
return getPrivateDnsLocked(identity, netId);
}
base::Result<IPrivateDnsServer*> PrivateDnsConfiguration::getPrivateDnsLocked(
const ServerIdentity& identity, unsigned netId) {
auto netPair = mPrivateDnsTransports.find(netId);
if (netPair == mPrivateDnsTransports.end()) {
return Errorf("Failed to get private DNS: netId {} not found", netId);
}
auto iter = netPair->second.find(identity);
if (iter == netPair->second.end()) {
return Errorf("Failed to get private DNS: server {{{}/{}}} not found", identity.sockaddr,
identity.provider);
}
return iter->second.get();
}
void PrivateDnsConfiguration::setObserver(PrivateDnsValidationObserver* observer) {
std::lock_guard guard(mPrivateDnsLock);
mObserver = observer;
}
void PrivateDnsConfiguration::notifyValidationStateUpdate(const netdutils::IPSockAddr& sockaddr,
Validation validation,
uint32_t netId) const {
if (mObserver) {
mObserver->onValidationStateUpdate(sockaddr.ip().toString(), validation, netId);
}
}
void PrivateDnsConfiguration::dump(netdutils::DumpWriter& dw) const {
dw.println("PrivateDnsLog:");
netdutils::ScopedIndent indentStats(dw);
for (const auto& record : mPrivateDnsLog.copy()) {
dw.println(fmt::format(
"{} - netId={} PrivateDns={{{}/{}}} state={}", timestampToString(record.timestamp),
record.netId, record.serverIdentity.sockaddr.toString(),
record.serverIdentity.provider, validationStatusToString(record.state)));
}
dw.blankline();
}
} // namespace net
} // namespace android