| /* |
| * Copyright (C) 2018 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #define LOG_TAG "PrivateDnsConfiguration" |
| #define DBG 0 |
| |
| #include <log/log.h> |
| #include <netdb.h> |
| #include <sys/socket.h> |
| |
| #include "netd_resolv/DnsTlsTransport.h" |
| #include "netd_resolv/PrivateDnsConfiguration.h" |
| #include "netdutils/BackoffSequence.h" |
| |
| int resolv_set_private_dns_for_net(unsigned netid, uint32_t mark, const char** servers, |
| const unsigned numServers, const char* tlsName, |
| const uint8_t** fingerprints, const unsigned numFingerprint) { |
| std::vector<std::string> tlsServers; |
| for (unsigned i = 0; i < numServers; i++) { |
| tlsServers.push_back(std::string(servers[i])); |
| } |
| |
| std::set<std::vector<uint8_t>> tlsFingerprints; |
| for (unsigned i = 0; i < numFingerprint; i++) { |
| // Each fingerprint stored are 32(SHA256_SIZE) bytes long. |
| tlsFingerprints.emplace(std::vector<uint8_t>(fingerprints[i], fingerprints[i] + 32)); |
| } |
| |
| return android::net::gPrivateDnsConfiguration.set(netid, mark, tlsServers, std::string(tlsName), |
| tlsFingerprints); |
| } |
| |
| void resolv_delete_private_dns_for_net(unsigned netid) { |
| android::net::gPrivateDnsConfiguration.clear(netid); |
| } |
| |
| void resolv_get_private_dns_status_for_net(unsigned netid, ExternalPrivateDnsStatus* status) { |
| android::net::gPrivateDnsConfiguration.getStatus(netid, status); |
| } |
| |
| void resolv_register_private_dns_callback(private_dns_validated_callback callback) { |
| android::net::gPrivateDnsConfiguration.setCallback(callback); |
| } |
| |
| namespace android { |
| |
| using android::netdutils::BackoffSequence; |
| |
| namespace net { |
| |
| std::string addrToString(const sockaddr_storage* addr) { |
| char out[INET6_ADDRSTRLEN] = {0}; |
| getnameinfo((const sockaddr*) addr, sizeof(sockaddr_storage), out, INET6_ADDRSTRLEN, nullptr, 0, |
| NI_NUMERICHOST); |
| return std::string(out); |
| } |
| |
| bool parseServer(const char* server, sockaddr_storage* parsed) { |
| addrinfo hints = {.ai_family = AF_UNSPEC, .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV}; |
| addrinfo* res; |
| |
| int err = getaddrinfo(server, "853", &hints, &res); |
| if (err != 0) { |
| ALOGW("Failed to parse server address (%s): %s", server, gai_strerror(err)); |
| return false; |
| } |
| |
| memcpy(parsed, res->ai_addr, res->ai_addrlen); |
| freeaddrinfo(res); |
| return true; |
| } |
| |
| void PrivateDnsConfiguration::setCallback(private_dns_validated_callback callback) { |
| if (mCallback == nullptr) { |
| mCallback = callback; |
| } |
| } |
| |
| int PrivateDnsConfiguration::set(int32_t netId, uint32_t mark, |
| const std::vector<std::string>& servers, const std::string& name, |
| const std::set<std::vector<uint8_t>>& fingerprints) { |
| if (DBG) { |
| ALOGD("PrivateDnsConfiguration::set(%u, %zu, %s, %zu)", netId, servers.size(), name.c_str(), |
| fingerprints.size()); |
| } |
| |
| const bool explicitlyConfigured = !name.empty() || !fingerprints.empty(); |
| |
| // Parse the list of servers that has been passed in |
| std::set<DnsTlsServer> tlsServers; |
| for (size_t i = 0; i < servers.size(); ++i) { |
| sockaddr_storage parsed; |
| if (!parseServer(servers[i].c_str(), &parsed)) { |
| return -EINVAL; |
| } |
| DnsTlsServer server(parsed); |
| server.name = name; |
| server.fingerprints = fingerprints; |
| tlsServers.insert(server); |
| } |
| |
| std::lock_guard guard(mPrivateDnsLock); |
| if (explicitlyConfigured) { |
| mPrivateDnsModes[netId] = PrivateDnsMode::STRICT; |
| } else if (!tlsServers.empty()) { |
| mPrivateDnsModes[netId] = PrivateDnsMode::OPPORTUNISTIC; |
| } else { |
| mPrivateDnsModes[netId] = PrivateDnsMode::OFF; |
| mPrivateDnsTransports.erase(netId); |
| return 0; |
| } |
| |
| // Create the tracker if it was not present |
| auto netPair = mPrivateDnsTransports.find(netId); |
| if (netPair == mPrivateDnsTransports.end()) { |
| // No TLS tracker yet for this netId. |
| bool added; |
| std::tie(netPair, added) = mPrivateDnsTransports.emplace(netId, PrivateDnsTracker()); |
| if (!added) { |
| ALOGE("Memory error while recording private DNS for netId %d", netId); |
| return -ENOMEM; |
| } |
| } |
| auto& tracker = netPair->second; |
| |
| // Remove any servers from the tracker that are not in |servers| exactly. |
| for (auto it = tracker.begin(); it != tracker.end();) { |
| if (tlsServers.count(it->first) == 0) { |
| it = tracker.erase(it); |
| } else { |
| ++it; |
| } |
| } |
| |
| // Add any new or changed servers to the tracker, and initiate async checks for them. |
| for (const auto& server : tlsServers) { |
| if (needsValidation(tracker, server)) { |
| validatePrivateDnsProvider(server, tracker, netId, mark); |
| } |
| } |
| return 0; |
| } |
| |
| PrivateDnsStatus PrivateDnsConfiguration::getStatus(unsigned netId) { |
| PrivateDnsStatus status{PrivateDnsMode::OFF, {}}; |
| |
| // This mutex is on the critical path of every DNS lookup. |
| // |
| // If the overhead of mutex acquisition proves too high, we could reduce |
| // it by maintaining an atomic_int32_t counter of TLS-enabled netids, or |
| // by using an RWLock. |
| std::lock_guard guard(mPrivateDnsLock); |
| |
| const auto mode = mPrivateDnsModes.find(netId); |
| if (mode == mPrivateDnsModes.end()) return status; |
| status.mode = mode->second; |
| |
| const auto netPair = mPrivateDnsTransports.find(netId); |
| if (netPair != mPrivateDnsTransports.end()) { |
| for (const auto& serverPair : netPair->second) { |
| if (serverPair.second == Validation::success) { |
| status.validatedServers.push_back(serverPair.first); |
| } |
| } |
| } |
| |
| return status; |
| } |
| |
| void PrivateDnsConfiguration::getStatus(unsigned netId, ExternalPrivateDnsStatus* status) { |
| // This mutex is on the critical path of every DNS lookup. |
| // |
| // If the overhead of mutex acquisition proves too high, we could reduce |
| // it by maintaining an atomic_int32_t counter of TLS-enabled netids, or |
| // by using an RWLock. |
| std::lock_guard guard(mPrivateDnsLock); |
| |
| const auto mode = mPrivateDnsModes.find(netId); |
| if (mode == mPrivateDnsModes.end()) return; |
| status->mode = mode->second; |
| |
| const auto netPair = mPrivateDnsTransports.find(netId); |
| if (netPair != mPrivateDnsTransports.end()) { |
| status->numServers = netPair->second.size(); |
| int count = 0; |
| for (const auto& serverPair : netPair->second) { |
| status->serverStatus[count].ss = serverPair.first.ss; |
| status->serverStatus[count].hostname = |
| serverPair.first.name.empty() ? "" : serverPair.first.name.c_str(); |
| status->serverStatus[count].validation = serverPair.second; |
| /* |
| unsigned numFingerprint = 0; |
| for (const auto& fp : serverPair.first.fingerprints) { |
| std::copy( |
| fp.begin(), fp.end(), |
| status->serverStatus[count].fingerprints.fingerprint[numFingerprint].data); |
| numFingerprint++; |
| } |
| status->serverStatus[count].fingerprints.num = numFingerprint; |
| */ |
| count++; |
| } |
| } |
| } |
| |
| void PrivateDnsConfiguration::clear(unsigned netId) { |
| if (DBG) { |
| ALOGD("PrivateDnsConfiguration::clear(%u)", netId); |
| } |
| std::lock_guard guard(mPrivateDnsLock); |
| mPrivateDnsModes.erase(netId); |
| mPrivateDnsTransports.erase(netId); |
| } |
| |
| void PrivateDnsConfiguration::validatePrivateDnsProvider(const DnsTlsServer& server, |
| PrivateDnsTracker& tracker, unsigned netId, |
| uint32_t mark) REQUIRES(mPrivateDnsLock) { |
| if (DBG) { |
| ALOGD("validatePrivateDnsProvider(%s, %u)", addrToString(&(server.ss)).c_str(), netId); |
| } |
| |
| tracker[server] = Validation::in_process; |
| if (DBG) { |
| ALOGD("Server %s marked as in_process. Tracker now has size %zu", |
| addrToString(&(server.ss)).c_str(), tracker.size()); |
| } |
| // Note that capturing |server| and |netId| in this lambda create copies. |
| std::thread validate_thread([this, server, netId, mark] { |
| // cat /proc/sys/net/ipv4/tcp_syn_retries yields "6". |
| // |
| // Start with a 1 minute delay and backoff to once per hour. |
| // |
| // Assumptions: |
| // [1] Each TLS validation is ~10KB of certs+handshake+payload. |
| // [2] Network typically provision clients with <=4 nameservers. |
| // [3] Average month has 30 days. |
| // |
| // Each validation pass in a given hour is ~1.2MB of data. And 24 |
| // such validation passes per day is about ~30MB per month, in the |
| // worst case. Otherwise, this will cost ~600 SYNs per month |
| // (6 SYNs per ip, 4 ips per validation pass, 24 passes per day). |
| auto backoff = BackoffSequence<>::Builder() |
| .withInitialRetransmissionTime(std::chrono::seconds(60)) |
| .withMaximumRetransmissionTime(std::chrono::seconds(3600)) |
| .build(); |
| |
| while (true) { |
| // ::validate() is a blocking call that performs network operations. |
| // It can take milliseconds to minutes, up to the SYN retry limit. |
| const bool success = DnsTlsTransport::validate(server, netId, mark); |
| if (DBG) { |
| ALOGD("validateDnsTlsServer returned %d for %s", success, |
| addrToString(&(server.ss)).c_str()); |
| } |
| |
| const bool needs_reeval = this->recordPrivateDnsValidation(server, netId, success); |
| if (!needs_reeval) { |
| break; |
| } |
| |
| if (backoff.hasNextTimeout()) { |
| std::this_thread::sleep_for(backoff.getNextTimeout()); |
| } else { |
| break; |
| } |
| } |
| }); |
| validate_thread.detach(); |
| } |
| |
| bool PrivateDnsConfiguration::recordPrivateDnsValidation(const DnsTlsServer& server, unsigned netId, |
| bool success) { |
| constexpr bool NEEDS_REEVALUATION = true; |
| constexpr bool DONT_REEVALUATE = false; |
| |
| std::lock_guard guard(mPrivateDnsLock); |
| |
| auto netPair = mPrivateDnsTransports.find(netId); |
| if (netPair == mPrivateDnsTransports.end()) { |
| ALOGW("netId %u was erased during private DNS validation", netId); |
| return DONT_REEVALUATE; |
| } |
| |
| const auto mode = mPrivateDnsModes.find(netId); |
| if (mode == mPrivateDnsModes.end()) { |
| ALOGW("netId %u has no private DNS validation mode", netId); |
| return DONT_REEVALUATE; |
| } |
| const bool modeDoesReevaluation = (mode->second == PrivateDnsMode::STRICT); |
| |
| bool reevaluationStatus = |
| (success || !modeDoesReevaluation) ? DONT_REEVALUATE : NEEDS_REEVALUATION; |
| |
| auto& tracker = netPair->second; |
| auto serverPair = tracker.find(server); |
| if (serverPair == tracker.end()) { |
| ALOGW("Server %s was removed during private DNS validation", |
| addrToString(&(server.ss)).c_str()); |
| success = false; |
| reevaluationStatus = DONT_REEVALUATE; |
| } else if (!(serverPair->first == server)) { |
| // TODO: It doesn't seem correct to overwrite the tracker entry for |
| // |server| down below in this circumstance... Fix this. |
| ALOGW("Server %s was changed during private DNS validation", |
| addrToString(&(server.ss)).c_str()); |
| success = false; |
| reevaluationStatus = DONT_REEVALUATE; |
| } |
| |
| // Invoke the callback to send a validation event to NetdEventListenerService. |
| if (mCallback != nullptr) { |
| const char* ipLiteral = addrToString(&(server.ss)).c_str(); |
| const char* hostname = server.name.empty() ? "" : server.name.c_str(); |
| mCallback(netId, ipLiteral, hostname, success); |
| } |
| |
| if (success) { |
| tracker[server] = Validation::success; |
| if (DBG) { |
| ALOGD("Validation succeeded for %s! Tracker now has %zu entries.", |
| addrToString(&(server.ss)).c_str(), tracker.size()); |
| } |
| } else { |
| // Validation failure is expected if a user is on a captive portal. |
| // TODO: Trigger a second validation attempt after captive portal login |
| // succeeds. |
| tracker[server] = (reevaluationStatus == NEEDS_REEVALUATION) ? Validation::in_process |
| : Validation::fail; |
| if (DBG) { |
| ALOGD("Validation failed for %s!", addrToString(&(server.ss)).c_str()); |
| } |
| } |
| |
| return reevaluationStatus; |
| } |
| |
| // Start validation for newly added servers as well as any servers that have |
| // landed in Validation::fail state. Note that servers that have failed |
| // multiple validation attempts but for which there is still a validating |
| // thread running are marked as being Validation::in_process. |
| bool PrivateDnsConfiguration::needsValidation(const PrivateDnsTracker& tracker, |
| const DnsTlsServer& server) { |
| const auto& iter = tracker.find(server); |
| return (iter == tracker.end()) || (iter->second == Validation::fail); |
| } |
| |
| PrivateDnsConfiguration gPrivateDnsConfiguration; |
| |
| } // namespace net |
| } // namespace android |