Merge PrivateDnsConfiguration and qhook into libnetd_resolv
PrivateDnsConfiguration handles the operations which adds, validates,
and removes private DNS servers. It will be hidden inside the library
after this change.
PrivateDnsConfiguration and DnsTlsDispatcher will be constructed along
with netd starts. Their instances are now moved to the library. Netd
can use public functions to update private DNS servers. In addition,
qhook() is no longer needed for TLS query.
This change comprises:
[1] Provide APIs for netd to add and delete private DNS servers as
well as get status.
[2] Provide a way for netd to register callback which will be invoked
whenever private DNS servers validation finishes. This is used for
onPrivateDnsValidationEvent().
[3] Remove qhook in android_net_context, since DnsTls* have been moved
to libnetd_resolv library. Also, qhook and rhook are removed in the
library.
[4] The visibility of DnsTls* symbols are hidden, while they have been
visible for a while.
Bug: 113628807
Test: as follows
- built, flashed, booted
- system/netd/tests/runtests.sh
- DNS-over-TLS in live network passed
Change-Id: I235004e4019d88d0d162d7ebd452148cd14cfd39
diff --git a/resolv/include/netd_resolv/DnsTlsDispatcher.h b/resolv/include/netd_resolv/DnsTlsDispatcher.h
index 0bb19f2..45142b8 100644
--- a/resolv/include/netd_resolv/DnsTlsDispatcher.h
+++ b/resolv/include/netd_resolv/DnsTlsDispatcher.h
@@ -38,8 +38,8 @@
// This is a singleton class that manages the collection of active DnsTlsTransports.
// Queries made here are dispatched to an existing or newly constructed DnsTlsTransport.
-class LIBNETD_RESOLV_TLS_EXPORT DnsTlsDispatcher {
-public:
+class DnsTlsDispatcher {
+ public:
// Default constructor.
DnsTlsDispatcher();
diff --git a/resolv/include/netd_resolv/DnsTlsQueryMap.h b/resolv/include/netd_resolv/DnsTlsQueryMap.h
index 4c8010c..f013e01 100644
--- a/resolv/include/netd_resolv/DnsTlsQueryMap.h
+++ b/resolv/include/netd_resolv/DnsTlsQueryMap.h
@@ -35,8 +35,8 @@
// Keeps track of queries and responses. This class matches responses with queries.
// All methods are thread-safe and non-blocking.
-class LIBNETD_RESOLV_TLS_EXPORT DnsTlsQueryMap {
-public:
+class DnsTlsQueryMap {
+ public:
struct Query {
// The new ID number assigned to this query.
uint16_t newId;
diff --git a/resolv/include/netd_resolv/DnsTlsServer.h b/resolv/include/netd_resolv/DnsTlsServer.h
index 752dc5f..bb161f2 100644
--- a/resolv/include/netd_resolv/DnsTlsServer.h
+++ b/resolv/include/netd_resolv/DnsTlsServer.h
@@ -30,7 +30,7 @@
// DnsTlsServer represents a recursive resolver that supports, or may support, a
// secure protocol.
-struct LIBNETD_RESOLV_TLS_EXPORT DnsTlsServer {
+struct DnsTlsServer {
// Default constructor.
DnsTlsServer() {}
@@ -68,7 +68,7 @@
};
// This comparison only checks the IP address. It ignores ports, names, and fingerprints.
-struct LIBNETD_RESOLV_TLS_EXPORT AddressComparator {
+struct AddressComparator {
bool operator() (const DnsTlsServer& x, const DnsTlsServer& y) const;
};
diff --git a/resolv/include/netd_resolv/DnsTlsSocket.h b/resolv/include/netd_resolv/DnsTlsSocket.h
index 7190dd2..195705b 100644
--- a/resolv/include/netd_resolv/DnsTlsSocket.h
+++ b/resolv/include/netd_resolv/DnsTlsSocket.h
@@ -46,8 +46,8 @@
// or the destructor in a callback. Doing so will result in deadlocks.
// This class may call the observer at any time after initialize(), until the destructor
// returns (but not after).
-class LIBNETD_RESOLV_TLS_EXPORT DnsTlsSocket : public IDnsTlsSocket {
-public:
+class DnsTlsSocket : public IDnsTlsSocket {
+ public:
DnsTlsSocket(const DnsTlsServer& server, unsigned mark,
IDnsTlsSocketObserver* _Nonnull observer,
DnsTlsSessionCache* _Nonnull cache) :
diff --git a/resolv/include/netd_resolv/DnsTlsTransport.h b/resolv/include/netd_resolv/DnsTlsTransport.h
index 011be61..4590868 100644
--- a/resolv/include/netd_resolv/DnsTlsTransport.h
+++ b/resolv/include/netd_resolv/DnsTlsTransport.h
@@ -41,8 +41,8 @@
// Manages at most one DnsTlsSocket at a time. This class handles socket lifetime issues,
// such as reopening the socket and reissuing pending queries.
-class LIBNETD_RESOLV_TLS_EXPORT DnsTlsTransport : public IDnsTlsSocketObserver {
-public:
+class DnsTlsTransport : public IDnsTlsSocketObserver {
+ public:
DnsTlsTransport(const DnsTlsServer& server, unsigned mark,
IDnsTlsSocketFactory* _Nonnull factory) :
mMark(mark), mServer(server), mFactory(factory) {}
diff --git a/resolv/include/netd_resolv/PrivateDnsConfiguration.h b/resolv/include/netd_resolv/PrivateDnsConfiguration.h
new file mode 100644
index 0000000..cee0205
--- /dev/null
+++ b/resolv/include/netd_resolv/PrivateDnsConfiguration.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef NETD_RESOLV_PRIVATEDNSCONFIGURATION_H
+#define NETD_RESOLV_PRIVATEDNSCONFIGURATION_H
+
+#include <list>
+#include <map>
+#include <vector>
+
+#include <android-base/thread_annotations.h>
+
+#include "DnsTlsServer.h"
+#include "resolv.h"
+
+namespace android {
+namespace net {
+
+struct PrivateDnsStatus {
+ PrivateDnsMode mode;
+ std::list<DnsTlsServer> validatedServers;
+};
+
+class PrivateDnsConfiguration {
+ public:
+ int set(int32_t netId, uint32_t mark, const std::vector<std::string>& servers,
+ const std::string& name, const std::set<std::vector<uint8_t>>& fingerprints);
+
+ PrivateDnsStatus getStatus(unsigned netId);
+
+ // Externally used for netd.
+ void getStatus(unsigned netId, ExternalPrivateDnsStatus* status);
+
+ int getPrivateDnsModeAndStatus(unsigned netId);
+ void clear(unsigned netId);
+ void setCallback(private_dns_validated_callback callback);
+
+ private:
+ typedef std::map<DnsTlsServer, Validation, AddressComparator> PrivateDnsTracker;
+
+ void validatePrivateDnsProvider(const DnsTlsServer& server, PrivateDnsTracker& tracker,
+ unsigned netId, uint32_t mark) REQUIRES(mPrivateDnsLock);
+
+ bool recordPrivateDnsValidation(const DnsTlsServer& server, unsigned netId, bool success);
+
+ // Start validation for newly added servers as well as any servers that have
+ // landed in Validation::fail state. Note that servers that have failed
+ // multiple validation attempts but for which there is still a validating
+ // thread running are marked as being Validation::in_process.
+ bool needsValidation(const PrivateDnsTracker& tracker, const DnsTlsServer& server);
+
+ std::mutex mPrivateDnsLock;
+ std::map<unsigned, PrivateDnsMode> mPrivateDnsModes GUARDED_BY(mPrivateDnsLock);
+ // Structure for tracking the validation status of servers on a specific netId.
+ // Using the AddressComparator ensures at most one entry per IP address.
+ std::map<unsigned, PrivateDnsTracker> mPrivateDnsTransports GUARDED_BY(mPrivateDnsLock);
+ private_dns_validated_callback mCallback = nullptr;
+};
+
+extern PrivateDnsConfiguration gPrivateDnsConfiguration;
+
+} // namespace net
+} // namespace android
+
+#endif /* NETD_RESOLV_PRIVATEDNSCONFIGURATION_H */
diff --git a/resolv/include/netd_resolv/params.h b/resolv/include/netd_resolv/params.h
index c3f3363..939bfc4 100644
--- a/resolv/include/netd_resolv/params.h
+++ b/resolv/include/netd_resolv/params.h
@@ -36,17 +36,12 @@
int base_timeout_msec; // base query retry timeout (if 0, use RES_TIMEOUT)
};
-typedef enum { res_goahead, res_nextns, res_modified, res_done, res_error } res_sendhookact;
+// The DNS over TLS mode on a specific netId.
+enum class PrivateDnsMode : uint8_t { OFF, OPPORTUNISTIC, STRICT };
-typedef res_sendhookact (*res_send_qhook)(struct sockaddr* const*, const uint8_t**, int*, uint8_t*,
- int, int*);
-
-typedef res_sendhookact (*res_send_rhook)(const struct sockaddr*, const uint8_t*, int, uint8_t*,
- int, int*);
+// Validation status of a DNS over TLS server (on a specific netId).
+enum class Validation : uint8_t { in_process, success, fail, unknown_server, unknown_netid };
#define LIBNETD_RESOLV_PUBLIC extern "C" [[gnu::visibility("default")]]
-// TODO: Remove it after we move PrivateDnsConfiguration and qhook() into libnetd_resolv.
-#define LIBNETD_RESOLV_TLS_EXPORT [[gnu::visibility("default")]]
-
#endif // NETD_RESOLV_PARAMS_H
diff --git a/resolv/include/netd_resolv/resolv.h b/resolv/include/netd_resolv/resolv.h
index 2c33c71..9176996 100644
--- a/resolv/include/netd_resolv/resolv.h
+++ b/resolv/include/netd_resolv/resolv.h
@@ -75,7 +75,6 @@
unsigned dns_mark;
uid_t uid;
unsigned flags;
- res_send_qhook qhook;
};
#define NET_CONTEXT_INVALID_UID ((uid_t) -1)
@@ -83,6 +82,19 @@
#define NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS 0x00000001
#define NET_CONTEXT_FLAG_USE_EDNS 0x00000002
+struct ExternalPrivateDnsStatus {
+ PrivateDnsMode mode;
+ unsigned numServers;
+ struct PrivateDnsInfo {
+ sockaddr_storage ss;
+ const char* hostname;
+ Validation validation;
+ } serverStatus[MAXNS];
+};
+
+typedef void (*private_dns_validated_callback)(unsigned netid, const char* server,
+ const char* hostname, bool success);
+
LIBNETD_RESOLV_PUBLIC hostent* android_gethostbyaddrfornetcontext(const void*, socklen_t, int,
const android_net_context*);
LIBNETD_RESOLV_PUBLIC int android_gethostbynamefornetcontext(const char*, int,
@@ -96,6 +108,22 @@
unsigned numservers, const char* domains,
const __res_params* params);
+LIBNETD_RESOLV_PUBLIC int resolv_set_private_dns_for_net(unsigned netid, uint32_t mark,
+ const char** servers,
+ const unsigned numServers,
+ const char* tlsName,
+ const uint8_t** fingerprints,
+ const unsigned numFingerprints);
+
+LIBNETD_RESOLV_PUBLIC void resolv_delete_private_dns_for_net(unsigned netid);
+
+LIBNETD_RESOLV_PUBLIC void resolv_get_private_dns_status_for_net(unsigned netid,
+ ExternalPrivateDnsStatus* status);
+
+// Register callback to listen whether private DNS validated
+LIBNETD_RESOLV_PUBLIC void resolv_register_private_dns_callback(
+ private_dns_validated_callback callback);
+
// Flush the cache associated with a certain network
LIBNETD_RESOLV_PUBLIC void resolv_flush_cache_for_net(unsigned netid);