| /* |
| * Copyright (C) 2017 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #ifndef _DNS_DNSTLSTRANSPORT_H |
| #define _DNS_DNSTLSTRANSPORT_H |
| |
| #include <netinet/in.h> |
| #include <set> |
| #include <sys/socket.h> |
| #include <sys/types.h> |
| #include <vector> |
| |
| #include "android-base/unique_fd.h" |
| |
| // Forward declaration. |
| typedef struct ssl_st SSL; |
| |
| namespace android { |
| namespace net { |
| |
| class DnsTlsTransport { |
| public: |
| DnsTlsTransport(unsigned mark, int protocol, const sockaddr_storage &ss, |
| const std::set<std::vector<uint8_t>>& fingerprints) |
| : mMark(mark), mProtocol(protocol), mAddr(ss), mFingerprints(fingerprints) |
| {} |
| ~DnsTlsTransport() {} |
| |
| enum class Response : uint8_t { success, network_error, limit_error, internal_error }; |
| |
| // Given a |query| of length |qlen|, sends it to the server and writes the |
| // response into |ans|, which can accept up to |anssiz| bytes. Indicates |
| // the number of bytes written in |resplen|. If |resplen| is zero, an |
| // error has occurred. |
| Response doQuery(const uint8_t *query, size_t qlen, uint8_t *ans, size_t anssiz, int *resplen); |
| |
| private: |
| // On success, returns a non-blocking socket connected to mAddr (the |
| // connection will likely be in progress if mProtocol is IPPROTO_TCP). |
| // On error, returns -1 with errno set appropriately. |
| android::base::unique_fd makeConnectedSocket() const; |
| |
| SSL* sslConnect(int fd); |
| |
| // Writes a buffer to the socket. |
| bool sslWrite(int fd, SSL *ssl, const uint8_t *buffer, int len); |
| |
| // Reads exactly the specified number of bytes from the socket. Blocking. |
| // Returns false if the socket closes before enough bytes can be read. |
| bool sslRead(int fd, SSL *ssl, uint8_t *buffer, int len); |
| |
| const unsigned mMark; // Socket mark |
| const int mProtocol; |
| const sockaddr_storage mAddr; |
| const std::set<std::vector<uint8_t>> mFingerprints; |
| }; |
| |
| // Check that a given TLS server (ss) is fully working on the specified netid, and has a |
| // provided SHA-256 fingerprint (if nonempty). This function is used in ResolverController |
| // to ensure that we don't enable DNS over TLS on networks where it doesn't actually work. |
| bool validateDnsTlsServer(unsigned netid, const sockaddr_storage& ss, |
| const std::set<std::vector<uint8_t>>& fingerprints); |
| |
| } // namespace net |
| } // namespace android |
| |
| #endif // _DNS_DNSTLSTRANSPORT_H |