xref: /aosp_15_r20/tools/test/connectivity/acts_tests/tests/google/net/DnsOverTlsTest.py

#
#   Copyright 2018 - The Android Open Source Project
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

import time

from acts import asserts
from acts.controllers.openwrt_ap import MOBLY_CONTROLLER_CONFIG_NAME as OPENWRT
from acts.test_decorators import test_tracker_info
from acts_contrib.test_utils.net import connectivity_const as cconst
from acts_contrib.test_utils.net import connectivity_test_utils as cutils
from acts_contrib.test_utils.net import net_test_utils as nutils
from acts_contrib.test_utils.tel.tel_ims_utils import set_wfc_mode
from acts_contrib.test_utils.net.net_test_utils import start_tcpdump
from acts_contrib.test_utils.net.net_test_utils import stop_tcpdump
from acts_contrib.test_utils.tel.tel_defines import WFC_MODE_DISABLED
from acts_contrib.test_utils.tel.tel_test_utils import get_operator_name
from acts_contrib.test_utils.wifi import wifi_test_utils as wutils
from acts_contrib.test_utils.wifi.WifiBaseTest import WifiBaseTest
from scapy.all import rdpcap
from scapy.all import Scapy_Exception
from scapy.all import TCP
from scapy.all import UDP


RST = 0x04
SSID = wutils.WifiEnums.SSID_KEY


class DnsOverTlsTest(WifiBaseTest):
    """Tests for DNS-over-TLS."""

    def setup_class(self):
        """Setup devices for DNS-over-TLS test and unpack params."""

        self.dut = self.android_devices[0]
        if len(self.android_devices) > 1:
            self.dut_b = self.android_devices[1]
        for ad in self.android_devices:
            ad.droid.setPrivateDnsMode(True)
            if OPENWRT not in self.user_params:
                nutils.verify_lte_data_and_tethering_supported(ad)
            set_wfc_mode(self.log, ad, WFC_MODE_DISABLED)
        req_params = ("ping_hosts",)
        opt_params = ("ipv4_only_network", "ipv4_ipv6_network",
                      "dns_name", "configure_OpenWrt", "wifi_network")
        self.unpack_userparams(req_param_names=req_params,
                               opt_param_names=opt_params)

        if OPENWRT in self.user_params:
            self.openwrt = self.access_points[0]
            if hasattr(self, "configure_OpenWrt") and self.configure_OpenWrt == "skip":
                self.dut.log.info("Skip configure Wifi interface due to config setup.")
            else:
                self.configure_openwrt_ap_and_start(wpa_network=True)
                self.wifi_network = self.openwrt.get_wifi_network()
            self.private_dns_servers = [self.dns_name]
            self.openwrt.network_setting.setup_dns_server(self.dns_name)
        else:
            self.private_dns_servers = [cconst.DNS_GOOGLE_HOSTNAME,
                                        cconst.DNS_QUAD9_HOSTNAME,
                                        cconst.DNS_CLOUDFLARE_HOSTNAME]
        self.tcpdump_pid = None

    def teardown_test(self):
        wutils.reset_wifi(self.dut)

    def teardown_class(self):
        for ad in self.android_devices:
            ad.droid.setPrivateDnsMode(True)

        if OPENWRT in self.user_params:
            self.openwrt.network_setting.remove_dns_server()

    def on_fail(self, test_name, begin_time):
        self.dut.take_bug_report(test_name, begin_time)

    def get_wifi_network(self, ipv6_supported):
        if OPENWRT in self.user_params:
            if ipv6_supported:
                self.openwrt.network_setting.enable_ipv6()
            else:
                self.openwrt.network_setting.disable_ipv6()
            return self.openwrt.get_wifi_network()
        if ipv6_supported:
            return self.ipv4_ipv6_network
        return self.ipv4_only_network

    def _start_tcp_dump(self, ad):
        """Start tcpdump on the given dut.

        Args:
            ad: dut to run tcpdump on
        """
        self.tcpdump_pid = start_tcpdump(ad, self.test_name)

    def _stop_tcp_dump(self, ad):
        """Stop tcpdump and pull it to the test run logs.

        Args:
            ad: dut to pull tcpdump from
        """
        return stop_tcpdump(ad, self.tcpdump_pid, self.test_name)

    def _verify_dns_queries_over_tls(self, pcap_file, tls=True):
        """Verify if DNS queries were over TLS or not.

        Args:
            pcap_file: tcpdump file
            tls: if queries should be over TLS or port 853
        """
        try:
            packets = rdpcap(pcap_file)
        except Scapy_Exception:
            asserts.fail("Not a valid pcap file")
        for pkt in packets:
            summary = "%s" % pkt.summary()
            for host in self.ping_hosts:
                host = host.split(".")[-2]
                if tls and UDP in pkt and pkt[UDP].dport == 53 and \
                    host in summary:
                      asserts.fail("Found query to port 53: %s" % summary)
                elif not tls and TCP in pkt and pkt[TCP].dport == 853 and \
                    not pkt[TCP].flags:
                      asserts.fail("Found query to port 853: %s" % summary)

    def _verify_no_rst_packets_port_853(self, pcap_file):
        """Verify if RST packets are found in the pcap file.

        Args:
            pcap_file: full path of tcpdump file
        """
        packets = rdpcap(pcap_file)
        for pkt in packets:
            if TCP in pkt and pkt[TCP].flags == RST and pkt[TCP].dport == 853:
                asserts.fail("Found RST packets: %s" % pkt.summary())

    def _test_private_dns_mode(self, ad, net, dns_mode, use_tls, hostname=None):
        """Test private DNS mode.

        Args:
            ad: android device object
            net: wifi network to connect to, LTE network if None
            dns_mode: private DNS mode
            use_tls: if True, the DNS packets should be encrypted
            hostname: private DNS hostname to set to
        """

        # set private dns mode
        if dns_mode:
            cutils.set_private_dns(self.dut, dns_mode, hostname)

        # connect to wifi
        if net:
            wutils.start_wifi_connection_scan_and_ensure_network_found(
                self.dut, net[SSID])
            wutils.wifi_connect(self.dut, net)

        # start tcpdump on the device
        self._start_tcp_dump(self.dut)

        # ping hosts should pass
        for host in self.ping_hosts:
            self.log.info("Pinging %s" % host)
            status = wutils.validate_connection(self.dut, host)
            asserts.assert_true(status, "Failed to ping host %s" % host)
            self.log.info("Ping successful")

        # stop tcpdump
        pcap_file = self._stop_tcp_dump(self.dut)

        # verify DNS queries
        self._verify_dns_queries_over_tls(pcap_file, use_tls)

        # reset wifi
        wutils.reset_wifi(self.dut)

    def _test_invalid_private_dns(self, net, dns_mode, dns_hostname):
        """Test private DNS with invalid hostname, which should failed the ping.

        :param net: Wi-Fi network to connect to
        :param dns_mode: private DNS mode
        :param dns_hostname: private DNS hostname
        :return:
        """

        cutils.set_private_dns(self.dut, dns_mode, dns_hostname)
        if net:
            wutils.start_wifi_connection_scan_and_ensure_network_found(
                self.dut, net[SSID])
            wutils.wifi_connect(
                self.dut, net, assert_on_fail=False, check_connectivity=False)

        self._start_tcp_dump(self.dut)

        # ping hosts should NOT pass
        ping_result = False
        for host in self.ping_hosts:
            self.log.info("Pinging %s" % host)
            try:
                ping_result = self.dut.droid.httpPing(host)
            except:
                pass
            # Ping result should keep negative with invalid DNS,
            # so once it's positive we should break, and the test should fail
            if ping_result:
                break

        pcap_file = self._stop_tcp_dump(self.dut)
        self._verify_dns_queries_over_tls(pcap_file, True)
        wutils.reset_wifi(self.dut)
        return ping_result

    @test_tracker_info(uuid="2957e61c-d333-45fb-9ff9-2250c9c8535a")
    def test_private_dns_mode_off_wifi_ipv4_only_network(self):
        """Verify private dns mode off on ipv4 only network.

        Steps:
            1. Set private dns mode off
            2. Connect to wifi network. DNS server supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 53
        """
        self._test_private_dns_mode(self.dut,
                                    self.get_wifi_network(False),
                                    cconst.PRIVATE_DNS_MODE_OFF,
                                    False)

    @test_tracker_info(uuid="ea036d22-25af-4df0-b6cc-0027bc1efbe9")
    def test_private_dns_mode_off_wifi_ipv4_ipv6_network(self):
        """Verify private dns mode off on ipv4-ipv6 network.

        Steps:
            1. Set private dns mode off
            2. Connect to wifi network. DNS server supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 53
        """
        self._test_private_dns_mode(self.dut,
                                    self.get_wifi_network(True),
                                    cconst.PRIVATE_DNS_MODE_OFF,
                                    False)

    @test_tracker_info(uuid="4227abf4-0a75-4b4d-968c-dfc63052f5db")
    def test_private_dns_mode_opportunistic_wifi_ipv4_only_network(self):
        """Verify private dns mode opportunistic on ipv4 only network.

        Steps:
            1. Set private dns to opportunistic mode
            2. Connect to wifi network. DNS server supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853 and encrypted
        """
        self._test_private_dns_mode(self.dut,
                                    self.get_wifi_network(False),
                                    cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC,
                                    True)

    @test_tracker_info(uuid="0c97cfef-4313-4346-b05b-395de63c5c3f")
    def test_private_dns_mode_opportunistic_wifi_ipv4_ipv6_network(self):
        """Verify private dns mode opportunistic on ipv4-ipv6 network.

        Steps:
            1. Set private dns to opportunistic mode
            2. Connect to wifi network. DNS server supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853
        """
        self._test_private_dns_mode(self.dut,
                                    self.get_wifi_network(True),
                                    cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC,
                                    True)

    @test_tracker_info(uuid="b70569f1-2613-49d0-be49-fd3464dde305")
    def test_private_dns_mode_strict_wifi_ipv4_only_network(self):
        """Verify private dns mode strict on ipv4 only network.

        Steps:
            1. Set private dns to strict mode
            2. Connect to wifi network. DNS server supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853 and encrypted
        """
        for dns in self.private_dns_servers:
            self._test_private_dns_mode(self.dut,
                                        self.get_wifi_network(False),
                                        cconst.PRIVATE_DNS_MODE_STRICT,
                                        True,
                                        dns)

    @test_tracker_info(uuid="85738b52-823b-4c59-a0d5-219e2fab2929")
    def test_private_dns_mode_strict_wifi_ipv4_ipv6_network(self):
        """Verify private dns mode strict on ipv4-ipv6 network.

        Steps:
            1. Set private dns to strict mode
            2. Connect to wifi network. DNS server supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853 and encrypted
        """
        for dns in self.private_dns_servers:
            self._test_private_dns_mode(self.dut,
                                        self.get_wifi_network(True),
                                        cconst.PRIVATE_DNS_MODE_STRICT,
                                        True,
                                        dns)

    @test_tracker_info(uuid="727e280a-d2bd-463f-b2a1-653d4b3f7f29")
    def test_private_dns_mode_off_vzw_carrier(self):
        """Verify private dns mode off on VZW network.

        Steps:
            1. Set private dns mode off
            2. Connect to wifi network. VZW doesn't support DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 53
        """
        carrier = get_operator_name(self.log, self.dut_b)
        asserts.skip_if(carrier != "vzw", "Carrier is not Verizon")
        self._test_private_dns_mode(self.dut_b,
                                    None,
                                    cconst.PRIVATE_DNS_MODE_OFF,
                                    False)

    @test_tracker_info(uuid="b16f6e2c-a24f-4efe-9003-2bfaf28b8d5e")
    def test_private_dns_mode_off_tmo_carrier(self):
        """Verify private dns mode off on TMO network.

        Steps:
            1. Set private dns to off mode
            2. Connect to wifi network. TMO supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 53
        """
        carrier = get_operator_name(self.log, self.dut)
        asserts.skip_if(carrier != "tmo", "Carrier is not T-mobile")
        self._test_private_dns_mode(self.dut,
                                    None,
                                    cconst.PRIVATE_DNS_MODE_OFF,
                                    False)

    @test_tracker_info(uuid="edfa7bfe-3e52-46b4-9d72-7c6c300b3680")
    def test_private_dns_mode_opportunistic_vzw_carrier(self):
        """Verify private dns mode opportunistic on VZW network.

        Steps:
            1. Set private dns mode opportunistic
            2. Connect to wifi network. VZW doesn't support DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 53
        """
        carrier = get_operator_name(self.log, self.dut_b)
        asserts.skip_if(carrier != "vzw", "Carrier is not Verizon")
        self._test_private_dns_mode(self.dut_b,
                                    None,
                                    cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC,
                                    False)

    @test_tracker_info(uuid="41c3f2c4-11b7-4bb8-a3c9-fac63f6822f6")
    def test_private_dns_mode_opportunistic_tmo_carrier(self):
        """Verify private dns mode opportunistic on TMO network.

        Steps:
            1. Set private dns mode opportunistic
            2. Connect to wifi network. TMP supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853 and encrypted
        """
        carrier = get_operator_name(self.log, self.dut)
        asserts.skip_if(carrier != "tmo", "Carrier is not T-mobile")
        self._test_private_dns_mode(self.dut,
                                    None,
                                    cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC,
                                    True)

    @test_tracker_info(uuid="65fd2052-f0c0-4446-b353-7ed2273e6c95")
    def test_private_dns_mode_strict_vzw_carrier(self):
        """Verify private dns mode strict on VZW network.

        Steps:
            1. Set private dns mode strict
            2. Connect to wifi network. VZW doesn't support DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853 and encrypted
        """
        carrier = get_operator_name(self.log, self.dut_b)
        asserts.skip_if(carrier != "vzw", "Carrier is not Verizon")
        for dns in self.private_dns_servers:
            self._test_private_dns_mode(self.dut_b,
                                        None,
                                        cconst.PRIVATE_DNS_MODE_STRICT,
                                        True,
                                        dns)

    @test_tracker_info(uuid="bca141f7-06c9-4e44-854e-4bdb9443b2da")
    def test_private_dns_mode_strict_tmo_carrier(self):
        """Verify private dns mode strict on TMO network.

        Steps:
            1. Set private dns mode strict
            2. Connect to wifi network. TMO supports DNS/TLS
            3. Run HTTP ping to amazon.com, facebook.com, netflix.com
            4. Verify ping works to differnt hostnames
            5. Verify that all queries go to port 853 and encrypted
        """
        carrier = get_operator_name(self.log, self.dut)
        asserts.skip_if(carrier != "tmo", "Carrier is not T-mobile")
        for dns in self.private_dns_servers:
            self._test_private_dns_mode(self.dut,
                                        None,
                                        cconst.PRIVATE_DNS_MODE_STRICT,
                                        True,
                                        dns)

    @test_tracker_info(uuid="7d977987-d9e3-4be1-b8fc-e5a84050ed48")
    def test_private_dns_mode_opportunistic_connectivity_toggle_networks(self):
        """Verify private DNS opportunistic mode connectivity by toggling networks.

        Steps:
            1. Set private DNS opportunistic mode
            2. DUT is connected to mobile network
            3. Verify connectivity and DNS queries going to port 853 for TMO
               and port 53 for VZW
            4. Switch to wifi network set with private DNS server
            5. Verify connectivity and DNS queries going to port 853
            6. Switch back to mobile network
            7. Verify connectivity and DNS queries going to port 853 for TMO
               and port 53 for VZW
            8. Repeat steps 1-7 for TMO, VZW and different private DNS servers
        """
        for ad in self.android_devices:
            carrier = get_operator_name(self.log, ad)
            self.log.info("Carrier is: %s" % carrier)
            use_tls = True if carrier == "tmo" else False
            for dns in self.private_dns_servers:
                self.log.info("Setting opportunistic private dns mode")
                # set private dns mode
                cutils.set_private_dns(ad, cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC)

                # verify dns over tls on mobile network
                self._test_private_dns_mode(
                    self.dut, None, None, use_tls, dns)

                # verify dns over tls on wifi network
                self._test_private_dns_mode(
                    self.dut, self.ipv4_ipv6_network, None, True, dns)

                # verify dns over tls on mobile network
                wutils.reset_wifi(self.dut)
                self._test_private_dns_mode(
                    self.dut, None, None, use_tls, dns)

    @test_tracker_info(uuid="bc2f228f-e288-4539-a4b9-c02968209985")
    def test_private_dns_mode_strict_connectivity_toggle_networks(self):
        """Verify private DNS strict mode connectivity by toggling networks.

        Steps:
            1. Set private DNS strict mode
            2. DUT is connected to mobile network
            3. Verify connectivity and DNS queries going to port 853
            4. Switch to wifi network
            5. Verify connectivity and DNS queries going to port 853
            6. Switch back to mobile network
            7. Verify connectivity and DNS queries going to port 853
            8. Repeat steps 1-7 for TMO, VZW and different private DNS servers
        """
        for ad in self.android_devices:
            self.log.info("Carrier is: %s" % get_operator_name(self.log, ad))
            for dns in self.private_dns_servers:
                self.log.info("Setting strict mode private dns: %s" % dns)
                # set private dns mode
                cutils.set_private_dns(ad, cconst.PRIVATE_DNS_MODE_STRICT, dns)

                # verify dns over tls on mobile network
                self._test_private_dns_mode(
                    self.dut, None, None, True, dns)

                # verify dns over tls on wifi network
                self._test_private_dns_mode(
                    self.dut, self.ipv4_ipv6_network, None, True, dns)

                # verify dns over tls on mobile network
                wutils.reset_wifi(self.dut)
                self._test_private_dns_mode(
                    self.dut, None, None, True, dns)

    @test_tracker_info(uuid="1426673a-7728-4df7-8de5-dfb3529ada62")
    def test_dns_server_link_properties_strict_mode(self):
        """Verify DNS server in the link properties when set in strict mode.

        Steps:
            1. Set DNS server hostname in Private DNS settings (stict mode)
            2. Verify that DNS server set in settings is in link properties
            3. Verify for WiFi as well as LTE
        """
        # start tcpdump on device
        self._start_tcp_dump(self.dut)

        # set private DNS to strict mode
        cutils.set_private_dns(
            self.dut, cconst.PRIVATE_DNS_MODE_STRICT, cconst.DNS_GOOGLE_HOSTNAME)

        # connect DUT to wifi network
        wutils.start_wifi_connection_scan_and_ensure_network_found(
            self.dut, self.ipv4_ipv6_network[SSID])
        wutils.wifi_connect(self.dut, self.ipv4_ipv6_network)
        for host in self.ping_hosts:
            wutils.validate_connection(self.dut, host)

        # DNS server in link properties for wifi network
        link_prop = self.dut.droid.connectivityGetActiveLinkProperties()
        wifi_dns_servers = link_prop["PrivateDnsServerName"]
        self.log.info("Link prop: %s" % wifi_dns_servers)

        # DUT is on LTE data
        wutils.reset_wifi(self.dut)
        time.sleep(1)  # wait till lte network becomes active
        for host in self.ping_hosts:
            wutils.validate_connection(self.dut, host)

        # DNS server in link properties for cell network
        link_prop = self.dut.droid.connectivityGetActiveLinkProperties()
        lte_dns_servers = link_prop["PrivateDnsServerName"]
        self.log.info("Link prop: %s" % lte_dns_servers)

        # stop tcpdump on device
        pcap_file = self._stop_tcp_dump(self.dut)

        # Verify DNS server in link properties
        asserts.assert_true(cconst.DNS_GOOGLE_HOSTNAME in wifi_dns_servers,
                            "Hostname not in link properties - wifi network")
        asserts.assert_true(cconst.DNS_GOOGLE_HOSTNAME in lte_dns_servers,
                            "Hostname not in link properites - cell network")

    @test_tracker_info(uuid="525a6f2d-9751-474e-a004-52441091e427")
    def test_dns_over_tls_no_reset_packets(self):
        """Verify there are no TCP packets with RST flags on port 853.

        Steps:
            1. Enable opportunistic or strict mode
            2. Ping hosts and verify that there are TCP pkts with RST flags
        """
        # start tcpdump on device
        self._start_tcp_dump(self.dut)

        # set private DNS to opportunistic mode
        cutils.set_private_dns(self.dut, cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC)

        # connect DUT to wifi network
        wutils.start_wifi_connection_scan_and_ensure_network_found(
            self.dut, self.ipv4_ipv6_network[SSID])
        wutils.wifi_connect(self.dut, self.ipv4_ipv6_network)
        for host in self.ping_hosts:
            wutils.validate_connection(self.dut, host)


        # stop tcpdump on device
        pcap_file = self._stop_tcp_dump(self.dut)

        # check that there no RST TCP packets
        self._verify_no_rst_packets_port_853(pcap_file)

    @test_tracker_info(uuid="af6e34f1-3ad5-4ab0-b3b9-53008aa08294")
    def test_private_dns_mode_strict_invalid_hostnames(self):
        """Verify that invalid hostnames are not able to ping for strict mode.

        Steps:
            1. Set private DNS to strict mode with invalid hostname
            2. Verify that invalid hostname is not saved
        """
        invalid_hostnames = ["!%@&!*", "12093478129", "9.9.9.9", "sdkfjhasdf"]
        for dns_hostname in invalid_hostnames:
            ping_result = self._test_invalid_private_dns(
                self.get_wifi_network(False),
                cconst.PRIVATE_DNS_MODE_STRICT,
                dns_hostname)
            asserts.assert_false(ping_result, "Ping success with invalid DNS.")