Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 91cf5292 authored by Mike Yu's avatar Mike Yu
Browse files

Add the test for nat64 prefix discovery bypass tls 

This test is added to make sure the fix of aosp/836502
won't be broken.

Bug: 119992869
Test: runtest passed
Merged-In: Ibc860d6d53fdbb1e75aebed9c6be0c9d9554edb3
Merged-In: I419de52e9ef5cc49d168153d2cb4d6e5b2462cbe
Change-Id: I69d603b3905a688c0361a73598c536c9223ba6a9
(cherry picked from commit 76256d067955f17a3784756a35dda01fce673b5a)
parent fb66fbae

dns_responder/dns_tls_frontend.h

+1 −0
Original line number Diff line number Diff line
@@ -58,6 +58,7 @@ public: 
    bool startServer();

    bool stopServer();

    int queries() const { return queries_; }

    void clearQueries() { queries_ = 0; }

    bool waitForQueries(int number, int timeoutMs) const;

    void set_chain_length(int length) { chain_length_ = length; }

    // Represents a fingerprint from the middle of the certificate chain.

resolver_test.cpp

+46 −1
Original line number Diff line number Diff line
@@ -102,7 +102,6 @@ class ResolverTest : public ::testing::Test { 


    void SetUp() { mDnsClient.SetUp(); }

    void TearDown() {

        mDnsClient.resolvService()->stopPrefix64Discovery(TEST_NETID);

        mDnsClient.TearDown();

    }
@@ -3284,6 +3283,52 @@ TEST_F(ResolverTest, GetHostByName2_Dns64QuerySpecialUseIPv4Addresses) { 
    }

}



TEST_F(ResolverTest, PrefixDiscoveryBypassTls) {

    constexpr char listen_addr[] = "::1";

    constexpr char cleartext_port[] = "53";

    constexpr char tls_port[] = "853";

    constexpr char dns64_name[] = "ipv4only.arpa.";

    const std::vector<std::string> servers = {listen_addr};



    test::DNSResponder dns(listen_addr);

    StartDns(dns, {{dns64_name, ns_type::ns_t_aaaa, "64:ff9b::192.0.0.170"}});

    test::DnsTlsFrontend tls(listen_addr, tls_port, listen_addr, cleartext_port);

    ASSERT_TRUE(tls.startServer());



    // Setup OPPORTUNISTIC mode and wait for the validation complete.

    ASSERT_TRUE(

            mDnsClient.SetResolversWithTls(servers, kDefaultSearchDomains, kDefaultParams, "", {}));

    EXPECT_TRUE(tls.waitForQueries(1, 5000));

    tls.clearQueries();



    // Start NAT64 prefix discovery and wait for it complete.

    EXPECT_TRUE(mDnsClient.resolvService()->startPrefix64Discovery(TEST_NETID).isOk());

    EXPECT_TRUE(WaitForPrefix64Detected(TEST_NETID, 1000));



    // Verify it bypassed TLS even though there's a TLS server available.

    EXPECT_EQ(0, tls.queries());

    EXPECT_EQ(1U, GetNumQueries(dns, dns64_name));



    // Restart the testing network to reset the cache.

    mDnsClient.TearDown();

    mDnsClient.SetUp();

    dns.clearQueries();



    // Setup STRICT mode and wait for the validation complete.

    ASSERT_TRUE(mDnsClient.SetResolversWithTls(servers, kDefaultSearchDomains, kDefaultParams, "",

                                               {base64Encode(tls.fingerprint())}));

    EXPECT_TRUE(tls.waitForQueries(1, 5000));

    tls.clearQueries();



    // Start NAT64 prefix discovery and wait for it to complete.

    EXPECT_TRUE(mDnsClient.resolvService()->startPrefix64Discovery(TEST_NETID).isOk());

    EXPECT_TRUE(WaitForPrefix64Detected(TEST_NETID, 1000));



    // Verify it bypassed TLS despite STRICT mode.

    EXPECT_EQ(0, tls.queries());

    EXPECT_EQ(1U, GetNumQueries(dns, dns64_name));

}



namespace {



void sendCommand(int fd, const std::string& cmd) {