Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 4204ecf2986a44603b4b3546edca144448d6ebd7^! / . / server / ResolverController.h
commit4204ecf2986a44603b4b3546edca144448d6ebd7[log] [tgz]
authorBen Schwartz <bemasc@google.com>Mon Oct 02 12:35:48 2017 -0400
committerBen Schwartz <bemasc@google.com>Mon Oct 02 13:04:57 2017 -0400
tree98a4cc4193d7607e086d0ea27238e9ee3f027b25
parent6ad3988c447c489692a7cd9cdd119d24b3c65040 [diff] [blame]
Switch to a new way of activating DNS-over-TLS

This change removes the global database of potential DNS-over-TLS
servers from Netd, and makes pinned or named servers mandatory-TLS,
not opportunistic.

Bug: 64753847
Change-Id: I226ffec3f59593bc40cd9019095c5261aae55fa0
Test: Tests pass.  Normal browsing continues to work normally.

diff --git a/server/ResolverController.h b/server/ResolverController.h
index b283e8b..383b1ab 100644
--- a/server/ResolverController.h
+++ b/server/ResolverController.h

@@ -39,13 +39,14 @@
     int setDnsServers(unsigned netId, const char* searchDomains, const char** servers,
             int numservers, const __res_params* params);
 
+    // Validation status of a DNS over TLS server (on a specific netId).
+    enum class Validation : uint8_t { in_process, success, fail, unknown_server, unknown_netid };
+
     // Given a netId and the address of an insecure (i.e. normal) DNS server, this method checks
     // if there is a known secure DNS server with the same IP address that has been validated as
-    // accessible on this netId.  If so, it returns true, providing the server's address
-    // (including port) and pin fingerprints (possibly empty) in the output parameter.
-    // TODO: Add support for optional stronger security, by returning true even if the secure
-    // server is not accessible.
-    bool shouldUseTls(unsigned netId, const sockaddr_storage& insecureServer,
+    // accessible on this netId.  It returns the validation status, and provides the secure server
+    // (including port, name, and fingerprints) in the output parameter.
+    Validation getTlsStatus(unsigned netId, const sockaddr_storage& insecureServer,
             DnsTlsTransport::Server* secureServer);
 
     int clearDnsServers(unsigned netid);
@@ -59,18 +60,15 @@
     // Binder specific functions, which convert between the binder int/string arrays and the
     // actual data structures, and call setDnsServer() / getDnsInfo() for the actual processing.
     int setResolverConfiguration(int32_t netId, const std::vector<std::string>& servers,
-            const std::vector<std::string>& domains, const std::vector<int32_t>& params);
+            const std::vector<std::string>& domains, const std::vector<int32_t>& params,
+            bool useTls, const std::string& tlsName,
+            const std::set<std::vector<uint8_t>>& tlsFingerprints);
 
     int getResolverInfo(int32_t netId, std::vector<std::string>* servers,
             std::vector<std::string>* domains, std::vector<int32_t>* params,
             std::vector<int32_t>* stats);
     void dump(DumpWriter& dw, unsigned netId);
 
-    int addPrivateDnsServer(const std::string& server, int32_t port,
-            const std::string& name,
-            const std::string& fingerprintAlgorithm,
-            const std::set<std::vector<uint8_t>>& fingerprints);
-    int removePrivateDnsServer(const std::string& server);
 };
 
 }  // namespace net