Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 18f64f19 authored by Ken Chen's avatar Ken Chen
Browse files

Remove RESOLV_INJECT_CA_CERTIFICATE 

The cppflags RESOLV_INJECT_CA_CERTIFICATE prevents test CA certificate
injection interface to be misused in production build. However, it will
also leads to resolv_integration_test fail while the resolver is built
for mainline release. Remove RESOLV_INJECT_CA_CERTIFICATE to get test
pass. The CA certificate injection interface is still protected by
permission check in DnsResolverService::setResolverConfiguration().

Bug: 147792436
Test: 1. build and install com.android.resolv from aml branch
      2. atest resolv_integration_test

Change-Id: Id03566dcaceab0f8c78fe705cb8f6f6c806082ca
parent 0452b8cf

Android.bp

+0 −1
Original line number Diff line number Diff line
@@ -108,7 +108,6 @@ cc_library { 
        debuggable: {

            cppflags: [

                "-DRESOLV_ALLOW_VERBOSE_LOGGING=1",

                "-DRESOLV_INJECT_CA_CERTIFICATE=1",

            ],

        },

    },

DnsTlsSocket.cpp

+2 −8
Original line number Diff line number Diff line
@@ -42,11 +42,6 @@ 
#include "private/android_filesystem_config.h"  // AID_DNS

#include "resolv_private.h"



// NOTE: Inject CA certificate for internal testing -- do NOT enable in production builds

#ifndef RESOLV_INJECT_CA_CERTIFICATE

#define RESOLV_INJECT_CA_CERTIFICATE 0

#endif



namespace android {



using netdutils::enableSockopt;
@@ -158,10 +153,9 @@ bool DnsTlsSocket::initialize() { 
    // Load system CA certs from CAPath for hostname verification.

    //

    // For discussion of alternative, sustainable approaches see b/71909242.

    if (RESOLV_INJECT_CA_CERTIFICATE && !mServer.certificate.empty()) {

    if (!mServer.certificate.empty()) {

        // Inject test CA certs from ResolverParamsParcel.caCertificate for internal testing.

        // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM, and on

        // debug builds.

        // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM

        LOG(WARNING) << "Setting test CA certificate. This should never happen in production code.";

        if (!setTestCaCertificate()) {

            LOG(ERROR) << "Failed to set test CA certificate";