Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2018 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #define LOG_TAG "PrivateDnsConfiguration" |
| 18 | #define DBG 0 |
| 19 | |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 20 | #include "PrivateDnsConfiguration.h" |
| 21 | |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 22 | #include <log/log.h> |
| 23 | #include <netdb.h> |
| 24 | #include <sys/socket.h> |
| 25 | |
Bernie Innocenti | ec4219b | 2019-01-30 11:16:36 +0900 | [diff] [blame] | 26 | #include "DnsTlsTransport.h" |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 27 | #include "ResolverEventReporter.h" |
Bernie Innocenti | ec4219b | 2019-01-30 11:16:36 +0900 | [diff] [blame] | 28 | #include "netd_resolv/resolv.h" |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 29 | #include "netdutils/BackoffSequence.h" |
| 30 | |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 31 | using aidl::android::net::metrics::INetdEventListener; |
| 32 | |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 33 | int resolv_set_private_dns_for_net(unsigned netid, uint32_t mark, const char** servers, |
Bernie Innocenti | b102dd2 | 2018-12-04 14:57:48 +0900 | [diff] [blame] | 34 | const int numServers, const char* tlsName, |
| 35 | const uint8_t** fingerprints, const int numFingerprint) { |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 36 | std::vector<std::string> tlsServers; |
Bernie Innocenti | b102dd2 | 2018-12-04 14:57:48 +0900 | [diff] [blame] | 37 | for (int i = 0; i < numServers; i++) { |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 38 | tlsServers.push_back(std::string(servers[i])); |
| 39 | } |
| 40 | |
| 41 | std::set<std::vector<uint8_t>> tlsFingerprints; |
Bernie Innocenti | b102dd2 | 2018-12-04 14:57:48 +0900 | [diff] [blame] | 42 | for (int i = 0; i < numFingerprint; i++) { |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 43 | // Each fingerprint stored are 32(SHA256_SIZE) bytes long. |
| 44 | tlsFingerprints.emplace(std::vector<uint8_t>(fingerprints[i], fingerprints[i] + 32)); |
| 45 | } |
| 46 | |
| 47 | return android::net::gPrivateDnsConfiguration.set(netid, mark, tlsServers, std::string(tlsName), |
| 48 | tlsFingerprints); |
| 49 | } |
| 50 | |
| 51 | void resolv_delete_private_dns_for_net(unsigned netid) { |
| 52 | android::net::gPrivateDnsConfiguration.clear(netid); |
| 53 | } |
| 54 | |
| 55 | void resolv_get_private_dns_status_for_net(unsigned netid, ExternalPrivateDnsStatus* status) { |
| 56 | android::net::gPrivateDnsConfiguration.getStatus(netid, status); |
| 57 | } |
| 58 | |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 59 | namespace android { |
| 60 | |
| 61 | using android::netdutils::BackoffSequence; |
| 62 | |
| 63 | namespace net { |
| 64 | |
| 65 | std::string addrToString(const sockaddr_storage* addr) { |
| 66 | char out[INET6_ADDRSTRLEN] = {0}; |
| 67 | getnameinfo((const sockaddr*) addr, sizeof(sockaddr_storage), out, INET6_ADDRSTRLEN, nullptr, 0, |
| 68 | NI_NUMERICHOST); |
| 69 | return std::string(out); |
| 70 | } |
| 71 | |
| 72 | bool parseServer(const char* server, sockaddr_storage* parsed) { |
| 73 | addrinfo hints = {.ai_family = AF_UNSPEC, .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV}; |
| 74 | addrinfo* res; |
| 75 | |
| 76 | int err = getaddrinfo(server, "853", &hints, &res); |
| 77 | if (err != 0) { |
| 78 | ALOGW("Failed to parse server address (%s): %s", server, gai_strerror(err)); |
| 79 | return false; |
| 80 | } |
| 81 | |
| 82 | memcpy(parsed, res->ai_addr, res->ai_addrlen); |
| 83 | freeaddrinfo(res); |
| 84 | return true; |
| 85 | } |
| 86 | |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 87 | int PrivateDnsConfiguration::set(int32_t netId, uint32_t mark, |
| 88 | const std::vector<std::string>& servers, const std::string& name, |
| 89 | const std::set<std::vector<uint8_t>>& fingerprints) { |
| 90 | if (DBG) { |
| 91 | ALOGD("PrivateDnsConfiguration::set(%u, %zu, %s, %zu)", netId, servers.size(), name.c_str(), |
| 92 | fingerprints.size()); |
| 93 | } |
| 94 | |
| 95 | const bool explicitlyConfigured = !name.empty() || !fingerprints.empty(); |
| 96 | |
| 97 | // Parse the list of servers that has been passed in |
| 98 | std::set<DnsTlsServer> tlsServers; |
| 99 | for (size_t i = 0; i < servers.size(); ++i) { |
| 100 | sockaddr_storage parsed; |
| 101 | if (!parseServer(servers[i].c_str(), &parsed)) { |
| 102 | return -EINVAL; |
| 103 | } |
| 104 | DnsTlsServer server(parsed); |
| 105 | server.name = name; |
| 106 | server.fingerprints = fingerprints; |
| 107 | tlsServers.insert(server); |
| 108 | } |
| 109 | |
| 110 | std::lock_guard guard(mPrivateDnsLock); |
| 111 | if (explicitlyConfigured) { |
| 112 | mPrivateDnsModes[netId] = PrivateDnsMode::STRICT; |
| 113 | } else if (!tlsServers.empty()) { |
| 114 | mPrivateDnsModes[netId] = PrivateDnsMode::OPPORTUNISTIC; |
| 115 | } else { |
| 116 | mPrivateDnsModes[netId] = PrivateDnsMode::OFF; |
| 117 | mPrivateDnsTransports.erase(netId); |
| 118 | return 0; |
| 119 | } |
| 120 | |
| 121 | // Create the tracker if it was not present |
| 122 | auto netPair = mPrivateDnsTransports.find(netId); |
| 123 | if (netPair == mPrivateDnsTransports.end()) { |
| 124 | // No TLS tracker yet for this netId. |
| 125 | bool added; |
| 126 | std::tie(netPair, added) = mPrivateDnsTransports.emplace(netId, PrivateDnsTracker()); |
| 127 | if (!added) { |
| 128 | ALOGE("Memory error while recording private DNS for netId %d", netId); |
| 129 | return -ENOMEM; |
| 130 | } |
| 131 | } |
| 132 | auto& tracker = netPair->second; |
| 133 | |
| 134 | // Remove any servers from the tracker that are not in |servers| exactly. |
| 135 | for (auto it = tracker.begin(); it != tracker.end();) { |
| 136 | if (tlsServers.count(it->first) == 0) { |
| 137 | it = tracker.erase(it); |
| 138 | } else { |
| 139 | ++it; |
| 140 | } |
| 141 | } |
| 142 | |
| 143 | // Add any new or changed servers to the tracker, and initiate async checks for them. |
| 144 | for (const auto& server : tlsServers) { |
| 145 | if (needsValidation(tracker, server)) { |
| 146 | validatePrivateDnsProvider(server, tracker, netId, mark); |
| 147 | } |
| 148 | } |
| 149 | return 0; |
| 150 | } |
| 151 | |
| 152 | PrivateDnsStatus PrivateDnsConfiguration::getStatus(unsigned netId) { |
| 153 | PrivateDnsStatus status{PrivateDnsMode::OFF, {}}; |
| 154 | |
| 155 | // This mutex is on the critical path of every DNS lookup. |
| 156 | // |
| 157 | // If the overhead of mutex acquisition proves too high, we could reduce |
| 158 | // it by maintaining an atomic_int32_t counter of TLS-enabled netids, or |
| 159 | // by using an RWLock. |
| 160 | std::lock_guard guard(mPrivateDnsLock); |
| 161 | |
| 162 | const auto mode = mPrivateDnsModes.find(netId); |
| 163 | if (mode == mPrivateDnsModes.end()) return status; |
| 164 | status.mode = mode->second; |
| 165 | |
| 166 | const auto netPair = mPrivateDnsTransports.find(netId); |
| 167 | if (netPair != mPrivateDnsTransports.end()) { |
| 168 | for (const auto& serverPair : netPair->second) { |
| 169 | if (serverPair.second == Validation::success) { |
| 170 | status.validatedServers.push_back(serverPair.first); |
| 171 | } |
| 172 | } |
| 173 | } |
| 174 | |
| 175 | return status; |
| 176 | } |
| 177 | |
| 178 | void PrivateDnsConfiguration::getStatus(unsigned netId, ExternalPrivateDnsStatus* status) { |
| 179 | // This mutex is on the critical path of every DNS lookup. |
| 180 | // |
| 181 | // If the overhead of mutex acquisition proves too high, we could reduce |
| 182 | // it by maintaining an atomic_int32_t counter of TLS-enabled netids, or |
| 183 | // by using an RWLock. |
| 184 | std::lock_guard guard(mPrivateDnsLock); |
| 185 | |
| 186 | const auto mode = mPrivateDnsModes.find(netId); |
| 187 | if (mode == mPrivateDnsModes.end()) return; |
| 188 | status->mode = mode->second; |
| 189 | |
| 190 | const auto netPair = mPrivateDnsTransports.find(netId); |
| 191 | if (netPair != mPrivateDnsTransports.end()) { |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 192 | int count = 0; |
| 193 | for (const auto& serverPair : netPair->second) { |
| 194 | status->serverStatus[count].ss = serverPair.first.ss; |
| 195 | status->serverStatus[count].hostname = |
| 196 | serverPair.first.name.empty() ? "" : serverPair.first.name.c_str(); |
| 197 | status->serverStatus[count].validation = serverPair.second; |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 198 | count++; |
Bernie Innocenti | 4c2a461 | 2018-11-20 19:23:56 +0900 | [diff] [blame] | 199 | if (count >= MAXNS) break; // Lose the rest |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 200 | } |
Bernie Innocenti | 9339022 | 2019-01-10 18:33:45 +0900 | [diff] [blame] | 201 | status->numServers = count; |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 202 | } |
| 203 | } |
| 204 | |
| 205 | void PrivateDnsConfiguration::clear(unsigned netId) { |
| 206 | if (DBG) { |
| 207 | ALOGD("PrivateDnsConfiguration::clear(%u)", netId); |
| 208 | } |
| 209 | std::lock_guard guard(mPrivateDnsLock); |
| 210 | mPrivateDnsModes.erase(netId); |
| 211 | mPrivateDnsTransports.erase(netId); |
| 212 | } |
| 213 | |
| 214 | void PrivateDnsConfiguration::validatePrivateDnsProvider(const DnsTlsServer& server, |
| 215 | PrivateDnsTracker& tracker, unsigned netId, |
| 216 | uint32_t mark) REQUIRES(mPrivateDnsLock) { |
| 217 | if (DBG) { |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 218 | ALOGD("validatePrivateDnsProvider(%s, %u)", addrToString(&server.ss).c_str(), netId); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 219 | } |
| 220 | |
| 221 | tracker[server] = Validation::in_process; |
| 222 | if (DBG) { |
| 223 | ALOGD("Server %s marked as in_process. Tracker now has size %zu", |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 224 | addrToString(&server.ss).c_str(), tracker.size()); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 225 | } |
| 226 | // Note that capturing |server| and |netId| in this lambda create copies. |
| 227 | std::thread validate_thread([this, server, netId, mark] { |
| 228 | // cat /proc/sys/net/ipv4/tcp_syn_retries yields "6". |
| 229 | // |
| 230 | // Start with a 1 minute delay and backoff to once per hour. |
| 231 | // |
| 232 | // Assumptions: |
| 233 | // [1] Each TLS validation is ~10KB of certs+handshake+payload. |
| 234 | // [2] Network typically provision clients with <=4 nameservers. |
| 235 | // [3] Average month has 30 days. |
| 236 | // |
| 237 | // Each validation pass in a given hour is ~1.2MB of data. And 24 |
| 238 | // such validation passes per day is about ~30MB per month, in the |
| 239 | // worst case. Otherwise, this will cost ~600 SYNs per month |
| 240 | // (6 SYNs per ip, 4 ips per validation pass, 24 passes per day). |
| 241 | auto backoff = BackoffSequence<>::Builder() |
| 242 | .withInitialRetransmissionTime(std::chrono::seconds(60)) |
| 243 | .withMaximumRetransmissionTime(std::chrono::seconds(3600)) |
| 244 | .build(); |
| 245 | |
| 246 | while (true) { |
| 247 | // ::validate() is a blocking call that performs network operations. |
| 248 | // It can take milliseconds to minutes, up to the SYN retry limit. |
| 249 | const bool success = DnsTlsTransport::validate(server, netId, mark); |
| 250 | if (DBG) { |
| 251 | ALOGD("validateDnsTlsServer returned %d for %s", success, |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 252 | addrToString(&server.ss).c_str()); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 253 | } |
| 254 | |
| 255 | const bool needs_reeval = this->recordPrivateDnsValidation(server, netId, success); |
| 256 | if (!needs_reeval) { |
| 257 | break; |
| 258 | } |
| 259 | |
| 260 | if (backoff.hasNextTimeout()) { |
| 261 | std::this_thread::sleep_for(backoff.getNextTimeout()); |
| 262 | } else { |
| 263 | break; |
| 264 | } |
| 265 | } |
| 266 | }); |
| 267 | validate_thread.detach(); |
| 268 | } |
| 269 | |
| 270 | bool PrivateDnsConfiguration::recordPrivateDnsValidation(const DnsTlsServer& server, unsigned netId, |
| 271 | bool success) { |
| 272 | constexpr bool NEEDS_REEVALUATION = true; |
| 273 | constexpr bool DONT_REEVALUATE = false; |
| 274 | |
| 275 | std::lock_guard guard(mPrivateDnsLock); |
| 276 | |
| 277 | auto netPair = mPrivateDnsTransports.find(netId); |
| 278 | if (netPair == mPrivateDnsTransports.end()) { |
| 279 | ALOGW("netId %u was erased during private DNS validation", netId); |
| 280 | return DONT_REEVALUATE; |
| 281 | } |
| 282 | |
| 283 | const auto mode = mPrivateDnsModes.find(netId); |
| 284 | if (mode == mPrivateDnsModes.end()) { |
| 285 | ALOGW("netId %u has no private DNS validation mode", netId); |
| 286 | return DONT_REEVALUATE; |
| 287 | } |
| 288 | const bool modeDoesReevaluation = (mode->second == PrivateDnsMode::STRICT); |
| 289 | |
| 290 | bool reevaluationStatus = |
| 291 | (success || !modeDoesReevaluation) ? DONT_REEVALUATE : NEEDS_REEVALUATION; |
| 292 | |
| 293 | auto& tracker = netPair->second; |
| 294 | auto serverPair = tracker.find(server); |
| 295 | if (serverPair == tracker.end()) { |
| 296 | ALOGW("Server %s was removed during private DNS validation", |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 297 | addrToString(&server.ss).c_str()); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 298 | success = false; |
| 299 | reevaluationStatus = DONT_REEVALUATE; |
| 300 | } else if (!(serverPair->first == server)) { |
| 301 | // TODO: It doesn't seem correct to overwrite the tracker entry for |
| 302 | // |server| down below in this circumstance... Fix this. |
| 303 | ALOGW("Server %s was changed during private DNS validation", |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 304 | addrToString(&server.ss).c_str()); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 305 | success = false; |
| 306 | reevaluationStatus = DONT_REEVALUATE; |
| 307 | } |
| 308 | |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 309 | // Send a validation event to NetdEventListenerService. |
Hungming Chen | a32c8c1 | 2019-01-25 10:47:40 +0800 | [diff] [blame^] | 310 | const auto& listeners = ResolverEventReporter::getInstance().getListeners(); |
| 311 | if (listeners.size() != 0) { |
| 312 | for (const auto& it : listeners) { |
| 313 | it->onPrivateDnsValidationEvent(netId, addrToString(&server.ss), server.name, success); |
| 314 | } |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 315 | if (DBG) { |
| 316 | ALOGD("Sent validation %s event on netId %u for %s with hostname %s", |
| 317 | success ? "success" : "failure", netId, addrToString(&server.ss).c_str(), |
| 318 | server.name.c_str()); |
| 319 | } |
| 320 | } else { |
Hungming Chen | a32c8c1 | 2019-01-25 10:47:40 +0800 | [diff] [blame^] | 321 | ALOGE("Validation event not sent since no INetdEventListener receiver is available."); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 322 | } |
| 323 | |
| 324 | if (success) { |
| 325 | tracker[server] = Validation::success; |
| 326 | if (DBG) { |
| 327 | ALOGD("Validation succeeded for %s! Tracker now has %zu entries.", |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 328 | addrToString(&server.ss).c_str(), tracker.size()); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 329 | } |
| 330 | } else { |
| 331 | // Validation failure is expected if a user is on a captive portal. |
| 332 | // TODO: Trigger a second validation attempt after captive portal login |
| 333 | // succeeds. |
| 334 | tracker[server] = (reevaluationStatus == NEEDS_REEVALUATION) ? Validation::in_process |
| 335 | : Validation::fail; |
| 336 | if (DBG) { |
Mike Yu | 303b0df | 2018-12-24 17:05:02 +0800 | [diff] [blame] | 337 | ALOGD("Validation failed for %s!", addrToString(&server.ss).c_str()); |
Mike Yu | b601ff7 | 2018-11-01 20:07:00 +0800 | [diff] [blame] | 338 | } |
| 339 | } |
| 340 | |
| 341 | return reevaluationStatus; |
| 342 | } |
| 343 | |
| 344 | // Start validation for newly added servers as well as any servers that have |
| 345 | // landed in Validation::fail state. Note that servers that have failed |
| 346 | // multiple validation attempts but for which there is still a validating |
| 347 | // thread running are marked as being Validation::in_process. |
| 348 | bool PrivateDnsConfiguration::needsValidation(const PrivateDnsTracker& tracker, |
| 349 | const DnsTlsServer& server) { |
| 350 | const auto& iter = tracker.find(server); |
| 351 | return (iter == tracker.end()) || (iter->second == Validation::fail); |
| 352 | } |
| 353 | |
| 354 | PrivateDnsConfiguration gPrivateDnsConfiguration; |
| 355 | |
| 356 | } // namespace net |
| 357 | } // namespace android |