1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef _DNS_DNSTLSTRANSPORT_H 18 #define _DNS_DNSTLSTRANSPORT_H 19 20 #include <netinet/in.h> 21 #include <set> 22 #include <sys/socket.h> 23 #include <sys/types.h> 24 #include <vector> 25 26 #include "android-base/unique_fd.h" 27 28 // Forward declaration. 29 typedef struct ssl_st SSL; 30 31 namespace android { 32 namespace net { 33 34 class DnsTlsTransport { 35 public: DnsTlsTransport(unsigned mark,int protocol,const sockaddr_storage & ss,const std::set<std::vector<uint8_t>> & fingerprints)36 DnsTlsTransport(unsigned mark, int protocol, const sockaddr_storage &ss, 37 const std::set<std::vector<uint8_t>>& fingerprints) 38 : mMark(mark), mProtocol(protocol), mAddr(ss), mFingerprints(fingerprints) 39 {} ~DnsTlsTransport()40 ~DnsTlsTransport() {} 41 42 enum class Response : uint8_t { success, network_error, limit_error, internal_error }; 43 44 // Given a |query| of length |qlen|, sends it to the server and writes the 45 // response into |ans|, which can accept up to |anssiz| bytes. Indicates 46 // the number of bytes written in |resplen|. If |resplen| is zero, an 47 // error has occurred. 48 Response doQuery(const uint8_t *query, size_t qlen, uint8_t *ans, size_t anssiz, int *resplen); 49 50 private: 51 // On success, returns a non-blocking socket connected to mAddr (the 52 // connection will likely be in progress if mProtocol is IPPROTO_TCP). 53 // On error, returns -1 with errno set appropriately. 54 android::base::unique_fd makeConnectedSocket() const; 55 56 SSL* sslConnect(int fd); 57 58 // Writes a buffer to the socket. 59 bool sslWrite(int fd, SSL *ssl, const uint8_t *buffer, int len); 60 61 // Reads exactly the specified number of bytes from the socket. Blocking. 62 // Returns false if the socket closes before enough bytes can be read. 63 bool sslRead(int fd, SSL *ssl, uint8_t *buffer, int len); 64 65 const unsigned mMark; // Socket mark 66 const int mProtocol; 67 const sockaddr_storage mAddr; 68 const std::set<std::vector<uint8_t>> mFingerprints; 69 }; 70 71 // Check that a given TLS server (ss) is fully working on the specified netid, and has a 72 // provided SHA-256 fingerprint (if nonempty). This function is used in ResolverController 73 // to ensure that we don't enable DNS over TLS on networks where it doesn't actually work. 74 bool validateDnsTlsServer(unsigned netid, const sockaddr_storage& ss, 75 const std::set<std::vector<uint8_t>>& fingerprints); 76 77 } // namespace net 78 } // namespace android 79 80 #endif // _DNS_DNSTLSTRANSPORT_H 81