Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 18f64f19 authored by Ken Chen's avatar Ken Chen
Browse files

Remove RESOLV_INJECT_CA_CERTIFICATE

The cppflags RESOLV_INJECT_CA_CERTIFICATE prevents test CA certificate
injection interface to be misused in production build. However, it will
also leads to resolv_integration_test fail while the resolver is built
for mainline release. Remove RESOLV_INJECT_CA_CERTIFICATE to get test
pass. The CA certificate injection interface is still protected by
permission check in DnsResolverService::setResolverConfiguration().

Bug: 147792436
Test: 1. build and install com.android.resolv from aml branch
      2. atest resolv_integration_test

Change-Id: Id03566dcaceab0f8c78fe705cb8f6f6c806082ca
parent 0452b8cf
Loading
Loading
Loading
Loading
+0 −1
Original line number Diff line number Diff line
@@ -108,7 +108,6 @@ cc_library {
        debuggable: {
            cppflags: [
                "-DRESOLV_ALLOW_VERBOSE_LOGGING=1",
                "-DRESOLV_INJECT_CA_CERTIFICATE=1",
            ],
        },
    },
+2 −8
Original line number Diff line number Diff line
@@ -42,11 +42,6 @@
#include "private/android_filesystem_config.h"  // AID_DNS
#include "resolv_private.h"

// NOTE: Inject CA certificate for internal testing -- do NOT enable in production builds
#ifndef RESOLV_INJECT_CA_CERTIFICATE
#define RESOLV_INJECT_CA_CERTIFICATE 0
#endif

namespace android {

using netdutils::enableSockopt;
@@ -158,10 +153,9 @@ bool DnsTlsSocket::initialize() {
    // Load system CA certs from CAPath for hostname verification.
    //
    // For discussion of alternative, sustainable approaches see b/71909242.
    if (RESOLV_INJECT_CA_CERTIFICATE && !mServer.certificate.empty()) {
    if (!mServer.certificate.empty()) {
        // Inject test CA certs from ResolverParamsParcel.caCertificate for internal testing.
        // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM, and on
        // debug builds.
        // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM
        LOG(WARNING) << "Setting test CA certificate. This should never happen in production code.";
        if (!setTestCaCertificate()) {
            LOG(ERROR) << "Failed to set test CA certificate";