/* * Copyright (C) 2018 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #define LOG_TAG "resolv" #include "PrivateDnsConfiguration.h" #include #include #include #include #include #include "DnsTlsTransport.h" #include "ResolverEventReporter.h" #include "netd_resolv/resolv.h" #include "util.h" using aidl::android::net::resolv::aidl::IDnsResolverUnsolicitedEventListener; using aidl::android::net::resolv::aidl::PrivateDnsValidationEventParcel; using android::base::StringPrintf; using android::netdutils::setThreadName; using std::chrono::milliseconds; namespace android { namespace net { bool parseServer(const char* server, sockaddr_storage* parsed) { addrinfo hints = { .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV, .ai_family = AF_UNSPEC, }; addrinfo* res; int err = getaddrinfo(server, "853", &hints, &res); if (err != 0) { LOG(WARNING) << "Failed to parse server address (" << server << "): " << gai_strerror(err); return false; } memcpy(parsed, res->ai_addr, res->ai_addrlen); freeaddrinfo(res); return true; } int PrivateDnsConfiguration::set(int32_t netId, uint32_t mark, const std::vector& servers, const std::string& name, const std::string& caCert) { LOG(DEBUG) << "PrivateDnsConfiguration::set(" << netId << ", 0x" << std::hex << mark << std::dec << ", " << servers.size() << ", " << name << ")"; // Parse the list of servers that has been passed in PrivateDnsTracker tmp; for (const auto& s : servers) { sockaddr_storage parsed; if (!parseServer(s.c_str(), &parsed)) { return -EINVAL; } auto server = std::make_unique(parsed); server->name = name; server->certificate = caCert; server->mark = mark; tmp[ServerIdentity(*server)] = std::move(server); } std::lock_guard guard(mPrivateDnsLock); if (!name.empty()) { mPrivateDnsModes[netId] = PrivateDnsMode::STRICT; } else if (!tmp.empty()) { mPrivateDnsModes[netId] = PrivateDnsMode::OPPORTUNISTIC; } else { mPrivateDnsModes[netId] = PrivateDnsMode::OFF; mPrivateDnsTransports.erase(netId); // TODO: signal validation threads to stop. return 0; } // Create the tracker if it was not present auto& tracker = mPrivateDnsTransports[netId]; // Add the servers if not contained in tracker. for (auto& [identity, server] : tmp) { if (tracker.find(identity) == tracker.end()) { tracker[identity] = std::move(server); } } for (auto& [identity, server] : tracker) { const bool active = tmp.find(identity) != tmp.end(); server->setActive(active); // For simplicity, deem the validation result of inactive servers as unreliable. if (!server->active() && server->validationState() == Validation::success) { updateServerState(identity, Validation::success_but_expired, netId); } if (needsValidation(*server)) { updateServerState(identity, Validation::in_process, netId); startValidation(identity, netId, false); } } return 0; } PrivateDnsStatus PrivateDnsConfiguration::getStatus(unsigned netId) const { PrivateDnsStatus status{PrivateDnsMode::OFF, {}}; std::lock_guard guard(mPrivateDnsLock); const auto mode = mPrivateDnsModes.find(netId); if (mode == mPrivateDnsModes.end()) return status; status.mode = mode->second; const auto netPair = mPrivateDnsTransports.find(netId); if (netPair != mPrivateDnsTransports.end()) { for (const auto& [_, server] : netPair->second) { if (server->isDot() && server->active()) { DnsTlsServer& dotServer = *static_cast(server.get()); status.serversMap.emplace(dotServer, server->validationState()); } // TODO: also add DoH server to the map. } } return status; } void PrivateDnsConfiguration::clear(unsigned netId) { LOG(DEBUG) << "PrivateDnsConfiguration::clear(" << netId << ")"; std::lock_guard guard(mPrivateDnsLock); mPrivateDnsModes.erase(netId); mPrivateDnsTransports.erase(netId); } base::Result PrivateDnsConfiguration::requestValidation(unsigned netId, const ServerIdentity& identity, uint32_t mark) { std::lock_guard guard(mPrivateDnsLock); // Running revalidation requires to mark the server as in_process, which means the server // won't be used until the validation passes. It's necessary and safe to run revalidation // when in private DNS opportunistic mode, because there's a fallback mechanics even if // all of the private DNS servers are in in_process state. if (auto it = mPrivateDnsModes.find(netId); it == mPrivateDnsModes.end()) { return Errorf("NetId not found in mPrivateDnsModes"); } else if (it->second != PrivateDnsMode::OPPORTUNISTIC) { return Errorf("Private DNS setting is not opportunistic mode"); } auto result = getPrivateDnsLocked(identity, netId); if (!result.ok()) { return result.error(); } const IPrivateDnsServer* server = result.value(); if (!server->active()) return Errorf("Server is not active"); if (server->validationState() != Validation::success) { return Errorf("Server validation state mismatched"); } // Don't run the validation if |mark| (from android_net_context.dns_mark) is different. // This is to protect validation from running on unexpected marks. // Validation should be associated with a mark gotten by system permission. if (server->validationMark() != mark) return Errorf("Socket mark mismatched"); updateServerState(identity, Validation::in_process, netId); startValidation(identity, netId, true); return {}; } void PrivateDnsConfiguration::startValidation(const ServerIdentity& identity, unsigned netId, bool isRevalidation) { // This ensures that the thread sends probe at least once in case // the server is removed before the thread starts running. // TODO: consider moving these code to the thread. const auto result = getPrivateDnsLocked(identity, netId); if (!result.ok()) return; DnsTlsServer server = *static_cast(result.value()); std::thread validate_thread([this, identity, server, netId, isRevalidation] { setThreadName(StringPrintf("TlsVerify_%u", netId).c_str()); // cat /proc/sys/net/ipv4/tcp_syn_retries yields "6". // // Start with a 1 minute delay and backoff to once per hour. // // Assumptions: // [1] Each TLS validation is ~10KB of certs+handshake+payload. // [2] Network typically provision clients with <=4 nameservers. // [3] Average month has 30 days. // // Each validation pass in a given hour is ~1.2MB of data. And 24 // such validation passes per day is about ~30MB per month, in the // worst case. Otherwise, this will cost ~600 SYNs per month // (6 SYNs per ip, 4 ips per validation pass, 24 passes per day). auto backoff = mBackoffBuilder.build(); while (true) { // ::validate() is a blocking call that performs network operations. // It can take milliseconds to minutes, up to the SYN retry limit. LOG(WARNING) << "Validating DnsTlsServer " << server.toIpString() << " with mark 0x" << std::hex << server.validationMark(); const bool success = DnsTlsTransport::validate(server, server.validationMark()); LOG(WARNING) << "validateDnsTlsServer returned " << success << " for " << server.toIpString(); const bool needs_reeval = this->recordPrivateDnsValidation(identity, netId, success, isRevalidation); if (!needs_reeval) { break; } if (backoff.hasNextTimeout()) { // TODO: make the thread able to receive signals to shutdown early. std::this_thread::sleep_for(backoff.getNextTimeout()); } else { break; } } }); validate_thread.detach(); } void PrivateDnsConfiguration::sendPrivateDnsValidationEvent(const ServerIdentity& identity, unsigned netId, bool success) { LOG(DEBUG) << "Sending validation " << (success ? "success" : "failure") << " event on netId " << netId << " for " << identity.sockaddr.ip().toString() << " with hostname {" << identity.provider << "}"; // Send a validation event to NetdEventListenerService. const auto& listeners = ResolverEventReporter::getInstance().getListeners(); if (listeners.empty()) { LOG(ERROR) << "Validation event not sent since no INetdEventListener receiver is available."; } for (const auto& it : listeners) { it->onPrivateDnsValidationEvent(netId, identity.sockaddr.ip().toString(), identity.provider, success); } // Send a validation event to unsolicited event listeners. const auto& unsolEventListeners = ResolverEventReporter::getInstance().getUnsolEventListeners(); const PrivateDnsValidationEventParcel validationEvent = { .netId = static_cast(netId), .ipAddress = identity.sockaddr.ip().toString(), .hostname = identity.provider, .validation = success ? IDnsResolverUnsolicitedEventListener::VALIDATION_RESULT_SUCCESS : IDnsResolverUnsolicitedEventListener::VALIDATION_RESULT_FAILURE, }; for (const auto& it : unsolEventListeners) { it->onPrivateDnsValidationEvent(validationEvent); } } bool PrivateDnsConfiguration::recordPrivateDnsValidation(const ServerIdentity& identity, unsigned netId, bool success, bool isRevalidation) { constexpr bool NEEDS_REEVALUATION = true; constexpr bool DONT_REEVALUATE = false; std::lock_guard guard(mPrivateDnsLock); auto netPair = mPrivateDnsTransports.find(netId); if (netPair == mPrivateDnsTransports.end()) { LOG(WARNING) << "netId " << netId << " was erased during private DNS validation"; notifyValidationStateUpdate(identity.sockaddr, Validation::fail, netId); return DONT_REEVALUATE; } const auto mode = mPrivateDnsModes.find(netId); if (mode == mPrivateDnsModes.end()) { LOG(WARNING) << "netId " << netId << " has no private DNS validation mode"; notifyValidationStateUpdate(identity.sockaddr, Validation::fail, netId); return DONT_REEVALUATE; } bool reevaluationStatus = NEEDS_REEVALUATION; if (success) { reevaluationStatus = DONT_REEVALUATE; } else if (mode->second == PrivateDnsMode::OFF) { reevaluationStatus = DONT_REEVALUATE; } else if (mode->second == PrivateDnsMode::OPPORTUNISTIC && !isRevalidation) { reevaluationStatus = DONT_REEVALUATE; } auto& tracker = netPair->second; auto serverPair = tracker.find(identity); if (serverPair == tracker.end()) { LOG(WARNING) << "Server " << identity.sockaddr.ip().toString() << " was removed during private DNS validation"; success = false; reevaluationStatus = DONT_REEVALUATE; } else if (!serverPair->second->active()) { LOG(WARNING) << "Server " << identity.sockaddr.ip().toString() << " was removed from the configuration"; success = false; reevaluationStatus = DONT_REEVALUATE; } // Send private dns validation result to listeners. sendPrivateDnsValidationEvent(identity, netId, success); if (success) { updateServerState(identity, Validation::success, netId); } else { // Validation failure is expected if a user is on a captive portal. // TODO: Trigger a second validation attempt after captive portal login // succeeds. const auto result = (reevaluationStatus == NEEDS_REEVALUATION) ? Validation::in_process : Validation::fail; updateServerState(identity, result, netId); } LOG(WARNING) << "Validation " << (success ? "success" : "failed"); return reevaluationStatus; } void PrivateDnsConfiguration::updateServerState(const ServerIdentity& identity, Validation state, uint32_t netId) { const auto result = getPrivateDnsLocked(identity, netId); if (!result.ok()) { notifyValidationStateUpdate(identity.sockaddr, Validation::fail, netId); return; } auto* server = result.value(); server->setValidationState(state); notifyValidationStateUpdate(identity.sockaddr, state, netId); RecordEntry record(netId, identity, state); mPrivateDnsLog.push(std::move(record)); } bool PrivateDnsConfiguration::needsValidation(const IPrivateDnsServer& server) const { // The server is not expected to be used on the network. if (!server.active()) return false; // The server is newly added. if (server.validationState() == Validation::unknown_server) return true; // The server has failed at least one validation attempt. Give it another try. if (server.validationState() == Validation::fail) return true; // The previous validation result might be unreliable. if (server.validationState() == Validation::success_but_expired) return true; return false; } base::Result PrivateDnsConfiguration::getPrivateDns( const ServerIdentity& identity, unsigned netId) { std::lock_guard guard(mPrivateDnsLock); return getPrivateDnsLocked(identity, netId); } base::Result PrivateDnsConfiguration::getPrivateDnsLocked( const ServerIdentity& identity, unsigned netId) { auto netPair = mPrivateDnsTransports.find(netId); if (netPair == mPrivateDnsTransports.end()) { return Errorf("Failed to get private DNS: netId {} not found", netId); } auto iter = netPair->second.find(identity); if (iter == netPair->second.end()) { return Errorf("Failed to get private DNS: server {{{}/{}}} not found", identity.sockaddr, identity.provider); } return iter->second.get(); } void PrivateDnsConfiguration::setObserver(PrivateDnsValidationObserver* observer) { std::lock_guard guard(mPrivateDnsLock); mObserver = observer; } void PrivateDnsConfiguration::notifyValidationStateUpdate(const netdutils::IPSockAddr& sockaddr, Validation validation, uint32_t netId) const { if (mObserver) { mObserver->onValidationStateUpdate(sockaddr.ip().toString(), validation, netId); } } void PrivateDnsConfiguration::dump(netdutils::DumpWriter& dw) const { dw.println("PrivateDnsLog:"); netdutils::ScopedIndent indentStats(dw); for (const auto& record : mPrivateDnsLog.copy()) { dw.println(fmt::format( "{} - netId={} PrivateDns={{{}/{}}} state={}", timestampToString(record.timestamp), record.netId, record.serverIdentity.sockaddr.toString(), record.serverIdentity.provider, validationStatusToString(record.state))); } dw.blankline(); } } // namespace net } // namespace android