server/dns/DnsTlsTransport.h

/*
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef _DNS_DNSTLSTRANSPORT_H
#define _DNS_DNSTLSTRANSPORT_H

#include <netinet/in.h>
#include <set>
#include <string>
#include <sys/socket.h>
#include <sys/types.h>
#include <vector>

#include "android-base/unique_fd.h"

// Forward declaration.
typedef struct ssl_st SSL;

namespace android {
namespace net {

class DnsTlsTransport {
public:
    struct Server {
        // Default constructor
        Server() {}
        // Allow sockaddr_storage to be promoted to Server automatically.
        Server(const sockaddr_storage& ss) : ss(ss) {}
        sockaddr_storage ss;
        std::set<std::vector<uint8_t>> fingerprints;
        std::string name;
        int protocol = IPPROTO_TCP;
        // Exact comparison of Server objects
        bool operator <(const Server& other) const;
        bool operator ==(const Server& other) const;
    };

    enum class Response : uint8_t { success, network_error, limit_error, internal_error };

    // Given a |query| of length |qlen|, sends it to the server on the network indicated by |mark|,
    // and writes the response into |ans|, which can accept up to |anssiz| bytes.  Indicates
    // the number of bytes written in |resplen|.  If |resplen| is zero, an
    // error has occurred.
    static Response query(const Server& server, unsigned mark, const uint8_t *query, size_t qlen,
            uint8_t *ans, size_t anssiz, int *resplen);

    // Check that a given TLS server is fully working on the specified netid, and has the
    // provided SHA-256 fingerprint (if nonempty).  This function is used in ResolverController
    // to ensure that we don't enable DNS over TLS on networks where it doesn't actually work.
    static bool validate(const Server& server, unsigned netid);

private:
    DnsTlsTransport(const Server& server, unsigned mark)
            : mMark(mark), mServer(server)
            {}
    ~DnsTlsTransport() {}

    Response doQuery(const uint8_t *query, size_t qlen, uint8_t *ans, size_t anssiz, int *resplen);

    // On success, returns a non-blocking socket connected to mAddr (the
    // connection will likely be in progress if mProtocol is IPPROTO_TCP).
    // On error, returns -1 with errno set appropriately.
    android::base::unique_fd makeConnectedSocket() const;

    SSL* sslConnect(int fd);

    // Writes a buffer to the socket.
    bool sslWrite(int fd, SSL *ssl, const uint8_t *buffer, int len);

    // Reads exactly the specified number of bytes from the socket.  Blocking.
    // Returns false if the socket closes before enough bytes can be read.
    bool sslRead(int fd, SSL *ssl, uint8_t *buffer, int len);

    const unsigned mMark;  // Socket mark
    const Server mServer;
};

// This comparison ignores ports, names, and fingerprints.
struct AddressComparator {
    bool operator() (const DnsTlsTransport::Server& x, const DnsTlsTransport::Server& y) const;
};


}  // namespace net
}  // namespace android

#endif  // _DNS_DNSTLSTRANSPORT_H