1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "resolv" 18 19 #include "DnsTlsSocket.h" 20 21 #include <arpa/inet.h> 22 #include <arpa/nameser.h> 23 #include <errno.h> 24 #include <linux/tcp.h> 25 #include <openssl/err.h> 26 #include <openssl/sha.h> 27 #include <sys/eventfd.h> 28 #include <sys/poll.h> 29 #include <unistd.h> 30 #include <algorithm> 31 32 #include "DnsTlsSessionCache.h" 33 #include "IDnsTlsSocketObserver.h" 34 35 #include <android-base/logging.h> 36 #include <android-base/stringprintf.h> 37 #include <netdutils/SocketOption.h> 38 #include <netdutils/ThreadUtil.h> 39 40 #include "Experiments.h" 41 #include "netd_resolv/resolv.h" 42 #include "private/android_filesystem_config.h" // AID_DNS 43 #include "resolv_private.h" 44 45 namespace android { 46 47 using android::net::Experiments; 48 using base::StringPrintf; 49 using netdutils::enableSockopt; 50 using netdutils::enableTcpKeepAlives; 51 using netdutils::isOk; 52 using netdutils::setThreadName; 53 using netdutils::Slice; 54 using netdutils::Status; 55 56 namespace net { 57 namespace { 58 59 constexpr const char kCaCertDir[] = "/system/etc/security/cacerts"; 60 61 int waitForReading(int fd, int timeoutMs = -1) { 62 pollfd fds = {.fd = fd, .events = POLLIN}; 63 return TEMP_FAILURE_RETRY(poll(&fds, 1, timeoutMs)); 64 } 65 66 int waitForWriting(int fd, int timeoutMs = -1) { 67 pollfd fds = {.fd = fd, .events = POLLOUT}; 68 return TEMP_FAILURE_RETRY(poll(&fds, 1, timeoutMs)); 69 } 70 71 } // namespace 72 73 Status DnsTlsSocket::tcpConnect() { 74 LOG(DEBUG) << mMark << " connecting TCP socket"; 75 int type = SOCK_NONBLOCK | SOCK_CLOEXEC; 76 switch (mServer.protocol) { 77 case IPPROTO_TCP: 78 type |= SOCK_STREAM; 79 break; 80 default: 81 return Status(EPROTONOSUPPORT); 82 } 83 84 mSslFd.reset(socket(mServer.ss.ss_family, type, mServer.protocol)); 85 if (mSslFd.get() == -1) { 86 PLOG(ERROR) << "Failed to create socket"; 87 return Status(errno); 88 } 89 90 resolv_tag_socket(mSslFd.get(), AID_DNS, NET_CONTEXT_INVALID_PID); 91 92 const socklen_t len = sizeof(mMark); 93 if (setsockopt(mSslFd.get(), SOL_SOCKET, SO_MARK, &mMark, len) == -1) { 94 const int err = errno; 95 PLOG(ERROR) << "Failed to set socket mark"; 96 mSslFd.reset(); 97 return Status(err); 98 } 99 100 const Status tfo = enableSockopt(mSslFd.get(), SOL_TCP, TCP_FASTOPEN_CONNECT); 101 if (!isOk(tfo) && tfo.code() != ENOPROTOOPT) { 102 LOG(WARNING) << "Failed to enable TFO: " << tfo.msg(); 103 } 104 105 // Send 5 keepalives, 3 seconds apart, after 15 seconds of inactivity. 106 enableTcpKeepAlives(mSslFd.get(), 15U, 5U, 3U).ignoreError(); 107 108 if (connect(mSslFd.get(), reinterpret_cast<const struct sockaddr *>(&mServer.ss), 109 sizeof(mServer.ss)) != 0 && 110 errno != EINPROGRESS) { 111 const int err = errno; 112 PLOG(WARNING) << "Socket failed to connect"; 113 mSslFd.reset(); 114 return Status(err); 115 } 116 117 return netdutils::status::ok; 118 } 119 120 bool DnsTlsSocket::setTestCaCertificate() { 121 bssl::UniquePtr<BIO> bio( 122 BIO_new_mem_buf(mServer.certificate.data(), mServer.certificate.size())); 123 bssl::UniquePtr<X509> cert(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)); 124 if (!cert) { 125 LOG(ERROR) << "Failed to read cert"; 126 return false; 127 } 128 129 X509_STORE* cert_store = SSL_CTX_get_cert_store(mSslCtx.get()); 130 if (!X509_STORE_add_cert(cert_store, cert.get())) { 131 LOG(ERROR) << "Failed to add cert"; 132 return false; 133 } 134 return true; 135 } 136 137 // TODO: Try to use static sSslCtx instead of mSslCtx 138 bool DnsTlsSocket::initialize() { 139 // This method is called every time when a new SSL connection is created. 140 // This lock only serves to help catch bugs in code that calls this method. 141 std::lock_guard guard(mLock); 142 if (mSslCtx) { 143 // This is a bug in the caller. 144 return false; 145 } 146 mSslCtx.reset(SSL_CTX_new(TLS_method())); 147 if (!mSslCtx) { 148 return false; 149 } 150 151 // Load system CA certs from CAPath for hostname verification. 152 // 153 // For discussion of alternative, sustainable approaches see b/71909242. 154 if (!mServer.certificate.empty()) { 155 // Inject test CA certs from ResolverParamsParcel.caCertificate for INTERNAL TESTING ONLY. 156 // This is only allowed by DnsResolverService if the caller is AID_ROOT. 157 LOG(WARNING) << "Setting test CA certificate. This should never happen in production code."; 158 if (!setTestCaCertificate()) { 159 LOG(ERROR) << "Failed to set test CA certificate"; 160 return false; 161 } 162 } else { 163 if (SSL_CTX_load_verify_locations(mSslCtx.get(), nullptr, kCaCertDir) != 1) { 164 LOG(ERROR) << "Failed to load CA cert dir: " << kCaCertDir; 165 return false; 166 } 167 } 168 169 // Enable TLS false start 170 SSL_CTX_set_false_start_allowed_without_alpn(mSslCtx.get(), 1); 171 SSL_CTX_set_mode(mSslCtx.get(), SSL_MODE_ENABLE_FALSE_START); 172 173 // Enable session cache 174 mCache->prepareSslContext(mSslCtx.get()); 175 176 mEventFd.reset(eventfd(0, EFD_NONBLOCK | EFD_CLOEXEC)); 177 mShutdownEvent.reset(eventfd(0, EFD_NONBLOCK | EFD_CLOEXEC)); 178 179 const Experiments* const instance = Experiments::getInstance(); 180 mConnectTimeoutMs = instance->getFlag("dot_connect_timeout_ms", kDotConnectTimeoutMs); 181 if (mConnectTimeoutMs < 1000) mConnectTimeoutMs = 1000; 182 183 mAsyncHandshake = instance->getFlag("dot_async_handshake", 0); 184 LOG(DEBUG) << "DnsTlsSocket is initialized with { mConnectTimeoutMs: " << mConnectTimeoutMs 185 << ", mAsyncHandshake: " << mAsyncHandshake << " }"; 186 187 transitionState(State::UNINITIALIZED, State::INITIALIZED); 188 189 return true; 190 } 191 192 bool DnsTlsSocket::startHandshake() { 193 std::lock_guard guard(mLock); 194 if (mState != State::INITIALIZED) { 195 LOG(ERROR) << "Calling startHandshake in unexpected state " << static_cast<int>(mState); 196 return false; 197 } 198 transitionState(State::INITIALIZED, State::CONNECTING); 199 200 if (!mAsyncHandshake) { 201 if (Status status = tcpConnect(); !status.ok()) { 202 transitionState(State::CONNECTING, State::WAIT_FOR_DELETE); 203 LOG(WARNING) << "TCP Handshake failed: " << status.code(); 204 return false; 205 } 206 if (mSsl = sslConnect(mSslFd.get()); !mSsl) { 207 transitionState(State::CONNECTING, State::WAIT_FOR_DELETE); 208 LOG(WARNING) << "TLS Handshake failed"; 209 return false; 210 } 211 } 212 213 // Start the I/O loop. 214 mLoopThread.reset(new std::thread(&DnsTlsSocket::loop, this)); 215 216 return true; 217 } 218 219 bssl::UniquePtr<SSL> DnsTlsSocket::prepareForSslConnect(int fd) { 220 if (!mSslCtx) { 221 LOG(ERROR) << "Internal error: context is null in sslConnect"; 222 return nullptr; 223 } 224 if (!SSL_CTX_set_min_proto_version(mSslCtx.get(), TLS1_2_VERSION)) { 225 LOG(ERROR) << "Failed to set minimum TLS version"; 226 return nullptr; 227 } 228 229 bssl::UniquePtr<SSL> ssl(SSL_new(mSslCtx.get())); 230 // This file descriptor is owned by mSslFd, so don't let libssl close it. 231 bssl::UniquePtr<BIO> bio(BIO_new_socket(fd, BIO_NOCLOSE)); 232 SSL_set_bio(ssl.get(), bio.get(), bio.get()); 233 (void)bio.release(); 234 235 if (!mCache->prepareSsl(ssl.get())) { 236 return nullptr; 237 } 238 239 if (!mServer.name.empty()) { 240 LOG(VERBOSE) << "Checking DNS over TLS hostname = " << mServer.name.c_str(); 241 if (SSL_set_tlsext_host_name(ssl.get(), mServer.name.c_str()) != 1) { 242 LOG(ERROR) << "Failed to set SNI to " << mServer.name; 243 return nullptr; 244 } 245 X509_VERIFY_PARAM* param = SSL_get0_param(ssl.get()); 246 if (X509_VERIFY_PARAM_set1_host(param, mServer.name.data(), mServer.name.size()) != 1) { 247 LOG(ERROR) << "Failed to set verify host param to " << mServer.name; 248 return nullptr; 249 } 250 // This will cause the handshake to fail if certificate verification fails. 251 SSL_set_verify(ssl.get(), SSL_VERIFY_PEER, nullptr); 252 } 253 254 bssl::UniquePtr<SSL_SESSION> session = mCache->getSession(); 255 if (session) { 256 LOG(DEBUG) << "Setting session"; 257 SSL_set_session(ssl.get(), session.get()); 258 } else { 259 LOG(DEBUG) << "No session available"; 260 } 261 262 return ssl; 263 } 264 265 bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) { 266 bssl::UniquePtr<SSL> ssl; 267 if (ssl = prepareForSslConnect(fd); !ssl) { 268 return nullptr; 269 } 270 271 for (;;) { 272 LOG(DEBUG) << " Calling SSL_connect with mark 0x" << std::hex << mMark; 273 int ret = SSL_connect(ssl.get()); 274 LOG(DEBUG) << " SSL_connect returned " << ret << " with mark 0x" << std::hex << mMark; 275 if (ret == 1) break; // SSL handshake complete; 276 277 const int ssl_err = SSL_get_error(ssl.get(), ret); 278 switch (ssl_err) { 279 case SSL_ERROR_WANT_READ: 280 // SSL_ERROR_WANT_READ is returned because the application data has been sent during 281 // the TCP connection handshake, the device is waiting for the SSL handshake reply 282 // from the server. 283 if (int err = waitForReading(fd, mConnectTimeoutMs); err <= 0) { 284 PLOG(WARNING) << "SSL_connect read error " << err << ", mark 0x" << std::hex 285 << mMark; 286 return nullptr; 287 } 288 break; 289 case SSL_ERROR_WANT_WRITE: 290 // If no application data is sent during the TCP connection handshake, the 291 // device is waiting for the connection established to perform SSL handshake. 292 if (int err = waitForWriting(fd, mConnectTimeoutMs); err <= 0) { 293 PLOG(WARNING) << "SSL_connect write error " << err << ", mark 0x" << std::hex 294 << mMark; 295 return nullptr; 296 } 297 break; 298 default: 299 PLOG(WARNING) << "SSL_connect ssl error =" << ssl_err << ", mark 0x" << std::hex 300 << mMark; 301 return nullptr; 302 } 303 } 304 305 LOG(DEBUG) << mMark << " handshake complete"; 306 307 return ssl; 308 } 309 310 bssl::UniquePtr<SSL> DnsTlsSocket::sslConnectV2(int fd) { 311 bssl::UniquePtr<SSL> ssl; 312 if (ssl = prepareForSslConnect(fd); !ssl) { 313 return nullptr; 314 } 315 316 for (;;) { 317 LOG(DEBUG) << " Calling SSL_connect with mark 0x" << std::hex << mMark; 318 int ret = SSL_connect(ssl.get()); 319 LOG(DEBUG) << " SSL_connect returned " << ret << " with mark 0x" << std::hex << mMark; 320 if (ret == 1) break; // SSL handshake complete; 321 322 enum { SSLFD = 0, EVENTFD = 1 }; 323 pollfd fds[2] = { 324 {.fd = mSslFd.get(), .events = 0}, 325 {.fd = mShutdownEvent.get(), .events = POLLIN}, 326 }; 327 328 const int ssl_err = SSL_get_error(ssl.get(), ret); 329 switch (ssl_err) { 330 case SSL_ERROR_WANT_READ: 331 fds[SSLFD].events = POLLIN; 332 break; 333 case SSL_ERROR_WANT_WRITE: 334 fds[SSLFD].events = POLLOUT; 335 break; 336 default: 337 PLOG(WARNING) << "SSL_connect ssl error =" << ssl_err << ", mark 0x" << std::hex 338 << mMark; 339 return nullptr; 340 } 341 342 int n = TEMP_FAILURE_RETRY(poll(fds, std::size(fds), mConnectTimeoutMs)); 343 if (n <= 0) { 344 PLOG(WARNING) << ((n == 0) ? "handshake timeout" : "Poll failed"); 345 return nullptr; 346 } 347 348 if (fds[EVENTFD].revents & (POLLIN | POLLERR)) { 349 LOG(WARNING) << "Got shutdown request during handshake"; 350 return nullptr; 351 } 352 if (fds[SSLFD].revents & POLLERR) { 353 LOG(WARNING) << "Got POLLERR on SSLFD during handshake"; 354 return nullptr; 355 } 356 } 357 358 LOG(DEBUG) << mMark << " handshake complete"; 359 360 return ssl; 361 } 362 363 void DnsTlsSocket::sslDisconnect() { 364 if (mSsl) { 365 SSL_shutdown(mSsl.get()); 366 mSsl.reset(); 367 } 368 mSslFd.reset(); 369 } 370 371 bool DnsTlsSocket::sslWrite(const Slice buffer) { 372 LOG(DEBUG) << mMark << " Writing " << buffer.size() << " bytes"; 373 for (;;) { 374 int ret = SSL_write(mSsl.get(), buffer.base(), buffer.size()); 375 if (ret == int(buffer.size())) break; // SSL write complete; 376 377 if (ret < 1) { 378 const int ssl_err = SSL_get_error(mSsl.get(), ret); 379 switch (ssl_err) { 380 case SSL_ERROR_WANT_WRITE: 381 if (int err = waitForWriting(mSslFd.get()); err <= 0) { 382 PLOG(WARNING) << "Poll failed in sslWrite, error " << err; 383 return false; 384 } 385 continue; 386 case 0: 387 break; // SSL write complete; 388 default: 389 LOG(DEBUG) << "SSL_write error " << ssl_err; 390 return false; 391 } 392 } 393 } 394 LOG(DEBUG) << mMark << " Wrote " << buffer.size() << " bytes"; 395 return true; 396 } 397 398 void DnsTlsSocket::loop() { 399 std::lock_guard guard(mLock); 400 std::deque<std::vector<uint8_t>> q; 401 const int timeout_msecs = DnsTlsSocket::kIdleTimeout.count() * 1000; 402 403 setThreadName(StringPrintf("TlsListen_%u", mMark & 0xffff).c_str()); 404 405 if (mAsyncHandshake) { 406 if (Status status = tcpConnect(); !status.ok()) { 407 LOG(WARNING) << "TCP Handshake failed: " << status.code(); 408 mObserver->onClosed(); 409 transitionState(State::CONNECTING, State::WAIT_FOR_DELETE); 410 return; 411 } 412 if (mSsl = sslConnectV2(mSslFd.get()); !mSsl) { 413 LOG(WARNING) << "TLS Handshake failed"; 414 mObserver->onClosed(); 415 transitionState(State::CONNECTING, State::WAIT_FOR_DELETE); 416 return; 417 } 418 LOG(DEBUG) << "Handshaking succeeded"; 419 } 420 421 transitionState(State::CONNECTING, State::CONNECTED); 422 423 while (true) { 424 // poll() ignores negative fds 425 struct pollfd fds[2] = { { .fd = -1 }, { .fd = -1 } }; 426 enum { SSLFD = 0, EVENTFD = 1 }; 427 428 // Always listen for a response from server. 429 fds[SSLFD].fd = mSslFd.get(); 430 fds[SSLFD].events = POLLIN; 431 432 // If we have pending queries, wait for space to write one. 433 // Otherwise, listen for new queries. 434 // Note: This blocks the destructor until q is empty, i.e. until all pending 435 // queries are sent or have failed to send. 436 if (!q.empty()) { 437 fds[SSLFD].events |= POLLOUT; 438 } else { 439 fds[EVENTFD].fd = mEventFd.get(); 440 fds[EVENTFD].events = POLLIN; 441 } 442 443 const int s = TEMP_FAILURE_RETRY(poll(fds, std::size(fds), timeout_msecs)); 444 if (s == 0) { 445 LOG(DEBUG) << "Idle timeout"; 446 break; 447 } 448 if (s < 0) { 449 PLOG(DEBUG) << "Poll failed"; 450 break; 451 } 452 if (fds[SSLFD].revents & (POLLIN | POLLERR | POLLHUP)) { 453 bool readFailed = false; 454 455 // readResponse() only reads one DNS (and consumes exact bytes) from ssl. 456 // Keep doing so until ssl has no pending data. 457 // TODO: readResponse() can block until it reads a complete DNS response. Consider 458 // refactoring it to not get blocked in any case. 459 do { 460 if (!readResponse()) { 461 LOG(DEBUG) << "SSL remote close or read error."; 462 readFailed = true; 463 } 464 } while (SSL_pending(mSsl.get()) > 0 && !readFailed); 465 466 if (readFailed) { 467 break; 468 } 469 } 470 if (fds[EVENTFD].revents & (POLLIN | POLLERR)) { 471 int64_t num_queries; 472 ssize_t res = read(mEventFd.get(), &num_queries, sizeof(num_queries)); 473 if (res < 0) { 474 LOG(WARNING) << "Error during eventfd read"; 475 break; 476 } else if (res == 0) { 477 LOG(WARNING) << "eventfd closed; disconnecting"; 478 break; 479 } else if (res != sizeof(num_queries)) { 480 LOG(ERROR) << "Int size mismatch: " << res << " != " << sizeof(num_queries); 481 break; 482 } else if (num_queries < 0) { 483 LOG(DEBUG) << "Negative eventfd read indicates destructor-initiated shutdown"; 484 break; 485 } 486 // Take ownership of all pending queries. (q is always empty here.) 487 mQueue.swap(q); 488 } else if (fds[SSLFD].revents & POLLOUT) { 489 // q cannot be empty here. 490 // Sending the entire queue here would risk a TCP flow control deadlock, so 491 // we only send a single query on each cycle of this loop. 492 // TODO: Coalesce multiple pending queries if there is enough space in the 493 // write buffer. 494 if (!sendQuery(q.front())) { 495 break; 496 } 497 q.pop_front(); 498 } 499 } 500 LOG(DEBUG) << "Disconnecting"; 501 sslDisconnect(); 502 LOG(DEBUG) << "Calling onClosed"; 503 mObserver->onClosed(); 504 transitionState(State::CONNECTED, State::WAIT_FOR_DELETE); 505 LOG(DEBUG) << "Ending loop"; 506 } 507 508 DnsTlsSocket::~DnsTlsSocket() { 509 LOG(DEBUG) << "Destructor"; 510 // This will trigger an orderly shutdown in loop(). 511 requestLoopShutdown(); 512 { 513 // Wait for the orderly shutdown to complete. 514 std::lock_guard guard(mLock); 515 if (mLoopThread && std::this_thread::get_id() == mLoopThread->get_id()) { 516 LOG(ERROR) << "Violation of re-entrance precondition"; 517 return; 518 } 519 } 520 if (mLoopThread) { 521 LOG(DEBUG) << "Waiting for loop thread to terminate"; 522 mLoopThread->join(); 523 mLoopThread.reset(); 524 } 525 LOG(DEBUG) << "Destructor completed"; 526 } 527 528 bool DnsTlsSocket::query(uint16_t id, const Slice query) { 529 // Compose the entire message in a single buffer, so that it can be 530 // sent as a single TLS record. 531 std::vector<uint8_t> buf(query.size() + 4); 532 // Write 2-byte length 533 uint16_t len = query.size() + 2; // + 2 for the ID. 534 buf[0] = len >> 8; 535 buf[1] = len; 536 // Write 2-byte ID 537 buf[2] = id >> 8; 538 buf[3] = id; 539 // Copy body 540 std::memcpy(buf.data() + 4, query.base(), query.size()); 541 542 mQueue.push(std::move(buf)); 543 // Increment the mEventFd counter by 1. 544 return incrementEventFd(1); 545 } 546 547 void DnsTlsSocket::requestLoopShutdown() { 548 if (mEventFd != -1) { 549 // Write a negative number to the eventfd. This triggers an immediate shutdown. 550 incrementEventFd(INT64_MIN); 551 } 552 if (mShutdownEvent != -1) { 553 if (eventfd_write(mShutdownEvent.get(), INT64_MIN) == -1) { 554 PLOG(ERROR) << "Failed to write to mShutdownEvent"; 555 } 556 } 557 } 558 559 bool DnsTlsSocket::incrementEventFd(const int64_t count) { 560 if (mEventFd == -1) { 561 LOG(ERROR) << "eventfd is not initialized"; 562 return false; 563 } 564 ssize_t written = write(mEventFd.get(), &count, sizeof(count)); 565 if (written != sizeof(count)) { 566 LOG(ERROR) << "Failed to increment eventfd by " << count; 567 return false; 568 } 569 return true; 570 } 571 572 void DnsTlsSocket::transitionState(State from, State to) { 573 if (mState != from) { 574 LOG(WARNING) << "BUG: transitioning from an unexpected state " << static_cast<int>(mState) 575 << ", expect: from " << static_cast<int>(from) << " to " 576 << static_cast<int>(to); 577 } 578 mState = to; 579 } 580 581 // Read exactly len bytes into buffer or fail with an SSL error code 582 int DnsTlsSocket::sslRead(const Slice buffer, bool wait) { 583 size_t remaining = buffer.size(); 584 while (remaining > 0) { 585 int ret = SSL_read(mSsl.get(), buffer.limit() - remaining, remaining); 586 if (ret == 0) { 587 if (remaining < buffer.size()) 588 LOG(WARNING) << "SSL closed with " << remaining << " of " << buffer.size() 589 << " bytes remaining"; 590 return SSL_ERROR_ZERO_RETURN; 591 } 592 593 if (ret < 0) { 594 const int ssl_err = SSL_get_error(mSsl.get(), ret); 595 if (wait && ssl_err == SSL_ERROR_WANT_READ) { 596 if (int err = waitForReading(mSslFd.get()); err <= 0) { 597 PLOG(WARNING) << "Poll failed in sslRead, error " << err; 598 return SSL_ERROR_SYSCALL; 599 } 600 continue; 601 } else { 602 LOG(DEBUG) << "SSL_read error " << ssl_err; 603 return ssl_err; 604 } 605 } 606 607 remaining -= ret; 608 wait = true; // Once a read is started, try to finish. 609 } 610 return SSL_ERROR_NONE; 611 } 612 613 bool DnsTlsSocket::sendQuery(const std::vector<uint8_t>& buf) { 614 if (!sslWrite(netdutils::makeSlice(buf))) { 615 return false; 616 } 617 LOG(DEBUG) << mMark << " SSL_write complete"; 618 return true; 619 } 620 621 bool DnsTlsSocket::readResponse() { 622 LOG(DEBUG) << "reading response"; 623 uint8_t responseHeader[2]; 624 int err = sslRead(Slice(responseHeader, 2), false); 625 if (err == SSL_ERROR_WANT_READ) { 626 LOG(DEBUG) << "Ignoring spurious wakeup from server"; 627 return true; 628 } 629 if (err != SSL_ERROR_NONE) { 630 return false; 631 } 632 // Truncate responses larger than MAX_SIZE. This is safe because a DNS packet is 633 // always invalid when truncated, so the response will be treated as an error. 634 constexpr uint16_t MAX_SIZE = 8192; 635 const uint16_t responseSize = (responseHeader[0] << 8) | responseHeader[1]; 636 LOG(DEBUG) << mMark << " Expecting response of size " << responseSize; 637 std::vector<uint8_t> response(std::min(responseSize, MAX_SIZE)); 638 if (sslRead(netdutils::makeSlice(response), true) != SSL_ERROR_NONE) { 639 LOG(DEBUG) << mMark << " Failed to read " << response.size() << " bytes"; 640 return false; 641 } 642 uint16_t remainingBytes = responseSize - response.size(); 643 while (remainingBytes > 0) { 644 constexpr uint16_t CHUNK_SIZE = 2048; 645 std::vector<uint8_t> discard(std::min(remainingBytes, CHUNK_SIZE)); 646 if (sslRead(netdutils::makeSlice(discard), true) != SSL_ERROR_NONE) { 647 LOG(DEBUG) << mMark << " Failed to discard " << discard.size() << " bytes"; 648 return false; 649 } 650 remainingBytes -= discard.size(); 651 } 652 LOG(DEBUG) << mMark << " SSL_read complete"; 653 654 mObserver->onResponse(std::move(response)); 655 return true; 656 } 657 658 } // end of namespace net 659 } // end of namespace android 660