Merge "Finish removing ALOG() from system/netd/resolv/" am: ab4b76b996 (619e71aa) · Commits · e / os / android_packages_modules_DnsResolver

Dns64Configuration.cpp

+11 −12

Original line number	Diff line number	Diff line
		@@ -19,7 +19,7 @@

		#include "Dns64Configuration.h"

		#include <log/log.h>
		#include <android-base/logging.h>
		#include <netdb.h>
		#include <thread>
		#include <utility>
		@@ -141,7 +141,8 @@ void Dns64Configuration::dump(DumpWriter& dw, unsigned netId) {
		// currently assumes the DNS64 prefix is a /96.
		bool Dns64Configuration::doRfc7050PrefixDiscovery(const android_net_context& netcontext,
		Dns64Config* cfg) {
		ALOGW("(%u, %u) Detecting NAT64 prefix from DNS...", cfg->netId, cfg->discoveryId);
		LOG(WARNING) << "(" << cfg->netId << ", " << cfg->discoveryId
		<< ") Detecting NAT64 prefix from DNS...";

		const struct addrinfo hints = {
		.ai_family = AF_INET6,
		@@ -156,8 +157,8 @@ bool Dns64Configuration::doRfc7050PrefixDiscovery(const android_net_context& net
		android_getaddrinfofornetcontext(kIPv4OnlyHost, nullptr, &hints, &netcontext, &res);
		ScopedAddrinfo result(res);
		if (status != 0) {
		ALOGW("(%u, %u) plat_prefix/dns(%s) status = %d/%s", cfg->netId, cfg->discoveryId,
		kIPv4OnlyHost, status, gai_strerror(status));
		LOG(WARNING) << "(" << cfg->netId << ", " << cfg->discoveryId << ") plat_prefix/dns("
		<< kIPv4OnlyHost << ") status = " << status << "/" << gai_strerror(status);
		return false;
		}

		@@ -170,17 +171,15 @@ bool Dns64Configuration::doRfc7050PrefixDiscovery(const android_net_context& net
		//
		// TODO: Consider remedying this.
		if (result->ai_family != AF_INET6) {
		ALOGW("(%u, %u) plat_prefix/unexpected address family: %d", cfg->netId, cfg->discoveryId,
		result->ai_family);
		LOG(WARNING) << "(" << cfg->netId << ", " << cfg->discoveryId
		<< ") plat_prefix/unexpected address family: " << result->ai_family;
		return false;
		}
		const IPAddress ipv6(reinterpret_cast<sockaddr_in6*>(result->ai_addr)->sin6_addr);
		// Only /96 DNS64 prefixes are supported at this time.
		cfg->prefix64 = IPPrefix(ipv6, 96);

		ALOGW("(%u, %u) Detected NAT64 prefix %s", cfg->netId, cfg->discoveryId,
		cfg->prefix64.toString().c_str());

		LOG(WARNING) << "(" << cfg->netId << ", " << cfg->discoveryId << ") Detected NAT64 prefix "
		<< cfg->prefix64.toString();
		return true;
		}

		@@ -194,8 +193,8 @@ bool Dns64Configuration::isDiscoveryInProgress(const Dns64Config& cfg) const REQ

		bool Dns64Configuration::reportNat64PrefixStatus(unsigned netId, bool added, const IPPrefix& pfx) {
		if (pfx.ip().family() != AF_INET6 \|\| pfx.ip().scope_id() != 0) {
		ALOGW("Abort to send NAT64 prefix notification. Unexpected NAT64 prefix (%u, %d, %s).",
		netId, added, pfx.toString().c_str());
		LOG(WARNING) << "Abort to send NAT64 prefix notification. Unexpected NAT64 prefix ("
		<< netId << ", " << added << ", " << pfx.toString() << ").";
		return false;
		}
		Nat64PrefixInfo args = {netId, added, pfx.ip().toString(), (uint8_t)pfx.length()};

DnsTlsDispatcher.cpp

+7 −8

Original line number	Diff line number	Diff line
		@@ -15,12 +15,11 @@
		*/

		#define LOG_TAG "resolv"
		//#define LOG_NDEBUG 0

		#include "DnsTlsDispatcher.h"
		#include "DnsTlsSocketFactory.h"

		#include "log/log.h"
		#include <android-base/logging.h>

		namespace android {
		namespace net {
		@@ -87,7 +86,7 @@ DnsTlsTransport::Response DnsTlsDispatcher::query(
		const Slice query, const Slice ans, int *resplen) {
		const std::list<DnsTlsServer> orderedServers(getOrderedServerList(tlsServers, mark));

		if (orderedServers.empty()) ALOGW("Empty DnsTlsServer list");
		if (orderedServers.empty()) LOG(WARNING) << "Empty DnsTlsServer list";

		DnsTlsTransport::Response code = DnsTlsTransport::Response::internal_error;
		for (const auto& server : orderedServers) {
		@@ -129,22 +128,22 @@ DnsTlsTransport::Response DnsTlsDispatcher::query(const DnsTlsServer& server, un
		++xport->useCount;
		}

		ALOGV("Sending query of length %zu", query.size());
		LOG(DEBUG) << "Sending query of length " << query.size();
		auto res = xport->transport.query(query);
		ALOGV("Awaiting response");
		LOG(DEBUG) << "Awaiting response";
		const auto& result = res.get();
		DnsTlsTransport::Response code = result.code;
		if (code == DnsTlsTransport::Response::success) {
		if (result.response.size() > ans.size()) {
		ALOGV("Response too large: %zu > %zu", result.response.size(), ans.size());
		LOG(DEBUG) << "Response too large: " << result.response.size() << " > " << ans.size();
		code = DnsTlsTransport::Response::limit_error;
		} else {
		ALOGV("Got response successfully");
		LOG(DEBUG) << "Got response successfully";
		*resplen = result.response.size();
		netdutils::copy(ans, netdutils::makeSlice(result.response));
		}
		} else {
		ALOGV("Query failed: %u", (unsigned int) code);
		LOG(DEBUG) << "Query failed: " << (unsigned int)code;
		}

		auto now = std::chrono::steady_clock::now();

DnsTlsQueryMap.cpp

+8 −9

Original line number	Diff line number	Diff line
		@@ -15,11 +15,10 @@
		*/

		#define LOG_TAG "resolv"
		//#define LOG_NDEBUG 0

		#include "DnsTlsQueryMap.h"

		#include "log/log.h"
		#include <android-base/logging.h>

		namespace android {
		namespace net {
		@@ -30,12 +29,12 @@ std::unique_ptr<DnsTlsQueryMap::QueryFuture> DnsTlsQueryMap::recordQuery(

		// Store the query so it can be matched to the response or reissued.
		if (query.size() < 2) {
		ALOGW("Query is too short");
		LOG(WARNING) << "Query is too short";
		return nullptr;
		}
		int32_t newId = getFreeId();
		if (newId < 0) {
		ALOGW("All query IDs are in use");
		LOG(WARNING) << "All query IDs are in use";
		return nullptr;
		}
		Query q = { .newId = static_cast<uint16_t>(newId), .query = query };
		@@ -43,7 +42,7 @@ std::unique_ptr<DnsTlsQueryMap::QueryFuture> DnsTlsQueryMap::recordQuery(
		bool inserted;
		std::tie(it, inserted) = mQueries.emplace(newId, q);
		if (!inserted) {
		ALOGE("Failed to store pending query");
		LOG(ERROR) << "Failed to store pending query";
		return nullptr;
		}
		return std::make_unique<QueryFuture>(q, it->second.result.get_future());
		@@ -124,16 +123,16 @@ void DnsTlsQueryMap::clear() {
		}

		void DnsTlsQueryMap::onResponse(std::vector<uint8_t> response) {
		ALOGV("Got response of size %zu", response.size());
		LOG(VERBOSE) << "Got response of size " << response.size();
		if (response.size() < 2) {
		ALOGW("Response is too short");
		LOG(WARNING) << "Response is too short";
		return;
		}
		uint16_t id = response[0] << 8 \| response[1];
		std::lock_guard guard(mLock);
		auto it = mQueries.find(id);
		if (it == mQueries.end()) {
		ALOGW("Discarding response: unknown ID %d", id);
		LOG(WARNING) << "Discarding response: unknown ID " << id;
		return;
		}
		Result r = { .code = Response::success, .response = std::move(response) };
		@@ -141,7 +140,7 @@ void DnsTlsQueryMap::onResponse(std::vector<uint8_t> response) {
		const uint8_t* data = it->second.query.query.base();
		r.response[0] = data[0];
		r.response[1] = data[1];
		ALOGV("Sending result to dispatcher");
		LOG(DEBUG) << "Sending result to dispatcher";
		it->second.result.set_value(std::move(r));
		mQueries.erase(it);
		}

DnsTlsSessionCache.cpp

+6 −7

Original line number	Diff line number	Diff line
		@@ -17,9 +17,8 @@
		#include "DnsTlsSessionCache.h"

		#define LOG_TAG "resolv"
		//#define LOG_NDEBUG 0

		#include "log/log.h"
		#include <android-base/logging.h>

		namespace android {
		namespace net {
		@@ -39,16 +38,16 @@ void DnsTlsSessionCache::prepareSslContext(SSL_CTX* ssl_ctx) {
		// static
		int DnsTlsSessionCache::newSessionCallback(SSL* ssl, SSL_SESSION* session) {
		if (!ssl \|\| !session) {
		ALOGE("Null SSL object in new session callback");
		LOG(ERROR) << "Null SSL object in new session callback";
		return 0;
		}
		DnsTlsSessionCache* cache = reinterpret_cast<DnsTlsSessionCache*>(
		SSL_get_ex_data(ssl, 0));
		if (!cache) {
		ALOGE("null transport in new session callback");
		LOG(ERROR) << "null transport in new session callback";
		return 0;
		}
		ALOGV("Recording session");
		LOG(DEBUG) << "Recording session";
		cache->recordSession(session);
		return 1; // Increment the refcount of session.
		}
		@@ -57,7 +56,7 @@ void DnsTlsSessionCache::recordSession(SSL_SESSION* session) {
		std::lock_guard guard(mLock);
		mSessions.emplace_front(session);
		if (mSessions.size() > kMaxSize) {
		ALOGV("Too many sessions; trimming");
		LOG(DEBUG) << "Too many sessions; trimming";
		mSessions.pop_back();
		}
		}
		@@ -65,7 +64,7 @@ void DnsTlsSessionCache::recordSession(SSL_SESSION* session) {
		bssl::UniquePtr<SSL_SESSION> DnsTlsSessionCache::getSession() {
		std::lock_guard guard(mLock);
		if (mSessions.size() == 0) {
		ALOGV("No known sessions");
		LOG(DEBUG) << "No known sessions";
		return nullptr;
		}
		bssl::UniquePtr<SSL_SESSION> ret = std::move(mSessions.front());

DnsTlsSocket.cpp

+61 −60

Original line number	Diff line number	Diff line
		@@ -15,7 +15,6 @@
		*/

		#define LOG_TAG "resolv"
		//#define LOG_NDEBUG 0

		#include "DnsTlsSocket.h"

		@@ -32,7 +31,8 @@
		#include "DnsTlsSessionCache.h"
		#include "IDnsTlsSocketObserver.h"

		#include "log/log.h"
		#include <android-base/logging.h>

		#include "netdutils/SocketOption.h"

		namespace android {
		@@ -64,7 +64,7 @@ int waitForWriting(int fd) {
		} // namespace

		Status DnsTlsSocket::tcpConnect() {
		ALOGV("%u connecting TCP socket", mMark);
		LOG(DEBUG) << mMark << " connecting TCP socket";
		int type = SOCK_NONBLOCK \| SOCK_CLOEXEC;
		switch (mServer.protocol) {
		case IPPROTO_TCP:
		@@ -76,20 +76,20 @@ Status DnsTlsSocket::tcpConnect() {

		mSslFd.reset(socket(mServer.ss.ss_family, type, mServer.protocol));
		if (mSslFd.get() == -1) {
		ALOGE("Failed to create socket");
		LOG(ERROR) << "Failed to create socket";
		return Status(errno);
		}

		const socklen_t len = sizeof(mMark);
		if (setsockopt(mSslFd.get(), SOL_SOCKET, SO_MARK, &mMark, len) == -1) {
		ALOGE("Failed to set socket mark");
		LOG(ERROR) << "Failed to set socket mark";
		mSslFd.reset();
		return Status(errno);
		}

		const Status tfo = enableSockopt(mSslFd.get(), SOL_TCP, TCP_FASTOPEN_CONNECT);
		if (!isOk(tfo) && tfo.code() != ENOPROTOOPT) {
		ALOGI("Failed to enable TFO: %s", tfo.msg().c_str());
		LOG(WARNING) << "Failed to enable TFO: " << tfo.msg();
		}

		// Send 5 keepalives, 3 seconds apart, after 15 seconds of inactivity.
		@@ -98,7 +98,7 @@ Status DnsTlsSocket::tcpConnect() {
		if (connect(mSslFd.get(), reinterpret_cast<const struct sockaddr *>(&mServer.ss),
		sizeof(mServer.ss)) != 0 &&
		errno != EINPROGRESS) {
		ALOGV("Socket failed to connect");
		LOG(DEBUG) << "Socket failed to connect";
		mSslFd.reset();
		return Status(errno);
		}
		@@ -111,18 +111,18 @@ bool getSPKIDigest(const X509* cert, std::vector<uint8_t>* out) {
		unsigned char spki[spki_len];
		unsigned char* temp = spki;
		if (spki_len != i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp)) {
		ALOGW("SPKI length mismatch");
		LOG(WARNING) << "SPKI length mismatch";
		return false;
		}
		out->resize(SHA256_SIZE);
		unsigned int digest_len = 0;
		int ret = EVP_Digest(spki, spki_len, out->data(), &digest_len, EVP_sha256(), nullptr);
		if (ret != 1) {
		ALOGW("Server cert digest extraction failed");
		LOG(WARNING) << "Server cert digest extraction failed";
		return false;
		}
		if (digest_len != out->size()) {
		ALOGW("Wrong digest length: %d", digest_len);
		LOG(WARNING) << "Wrong digest length: " << digest_len;
		return false;
		}
		return true;
		@@ -145,7 +145,7 @@ bool DnsTlsSocket::initialize() {
		//
		// For discussion of alternative, sustainable approaches see b/71909242.
		if (SSL_CTX_load_verify_locations(mSslCtx.get(), nullptr, kCaCertDir) != 1) {
		ALOGE("Failed to load CA cert dir: %s", kCaCertDir);
		LOG(ERROR) << "Failed to load CA cert dir: " << kCaCertDir;
		return false;
		}

		@@ -176,11 +176,11 @@ bool DnsTlsSocket::initialize() {

		bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {
		if (!mSslCtx) {
		ALOGE("Internal error: context is null in sslConnect");
		LOG(ERROR) << "Internal error: context is null in sslConnect";
		return nullptr;
		}
		if (!SSL_CTX_set_min_proto_version(mSslCtx.get(), TLS1_2_VERSION)) {
		ALOGE("Failed to set minimum TLS version");
		LOG(ERROR) << "Failed to set minimum TLS version";
		return nullptr;
		}

		@@ -196,12 +196,12 @@ bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {

		if (!mServer.name.empty()) {
		if (SSL_set_tlsext_host_name(ssl.get(), mServer.name.c_str()) != 1) {
		ALOGE("Failed to set SNI to %s", mServer.name.c_str());
		LOG(ERROR) << "ailed to set SNI to " << mServer.name;
		return nullptr;
		}
		X509_VERIFY_PARAM* param = SSL_get0_param(ssl.get());
		if (X509_VERIFY_PARAM_set1_host(param, mServer.name.data(), mServer.name.size()) != 1) {
		ALOGE("Failed to set verify host param to %s", mServer.name.c_str());
		LOG(ERROR) << "Failed to set verify host param to " << mServer.name;
		return nullptr;
		}
		// This will cause the handshake to fail if certificate verification fails.
		@@ -210,41 +210,41 @@ bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {

		bssl::UniquePtr<SSL_SESSION> session = mCache->getSession();
		if (session) {
		ALOGV("Setting session");
		LOG(DEBUG) << "Setting session";
		SSL_set_session(ssl.get(), session.get());
		} else {
		ALOGV("No session available");
		LOG(DEBUG) << "No session available";
		}

		for (;;) {
		ALOGV("%u Calling SSL_connect", mMark);
		LOG(DEBUG) << mMark << " Calling SSL_connect";
		int ret = SSL_connect(ssl.get());
		ALOGV("%u SSL_connect returned %d", mMark, ret);
		LOG(DEBUG) << mMark << " SSL_connect returned " << ret;
		if (ret == 1) break; // SSL handshake complete;

		const int ssl_err = SSL_get_error(ssl.get(), ret);
		switch (ssl_err) {
		case SSL_ERROR_WANT_READ:
		if (waitForReading(fd) != 1) {
		ALOGW("SSL_connect read error: %d", errno);
		LOG(WARNING) << "SSL_connect read error: " << errno;
		return nullptr;
		}
		break;
		case SSL_ERROR_WANT_WRITE:
		if (waitForWriting(fd) != 1) {
		ALOGW("SSL_connect write error");
		LOG(WARNING) << "SSL_connect write error";
		return nullptr;
		}
		break;
		default:
		ALOGW("SSL_connect error %d, errno=%d", ssl_err, errno);
		LOG(WARNING) << "SSL_connect error " << ssl_err << ", errno=" << errno;
		return nullptr;
		}
		}

		// TODO: Call SSL_shutdown before discarding the session if validation fails.
		if (!mServer.fingerprints.empty()) {
		ALOGV("Checking DNS over TLS fingerprint");
		LOG(DEBUG) << "Checking DNS over TLS fingerprint";

		// We only care that the chain is internally self-consistent, not that
		// it chains to a trusted root, so we can ignore some kinds of errors.
		@@ -257,13 +257,13 @@ bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {
		case X509_V_ERR_CERT_UNTRUSTED:
		break;
		default:
		ALOGW("Invalid certificate chain, error %d", verify_result);
		LOG(WARNING) << "Invalid certificate chain, error " << verify_result;
		return nullptr;
		}

		STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl.get());
		if (!chain) {
		ALOGW("Server has null certificate");
		LOG(WARNING) << "Server has null certificate";
		return nullptr;
		}
		// Chain and its contents are owned by ssl, so we don't need to free explicitly.
		@@ -274,7 +274,7 @@ bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {
		X509* cert = sk_X509_value(chain, i);
		std::vector<uint8_t> digest;
		if (!getSPKIDigest(cert, &digest)) {
		ALOGE("Digest computation failed");
		LOG(ERROR) << "Digest computation failed";
		return nullptr;
		}

		@@ -285,14 +285,14 @@ bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {
		}

		if (!matched) {
		ALOGW("No matching fingerprint");
		LOG(WARNING) << "No matching fingerprint";
		return nullptr;
		}

		ALOGV("DNS over TLS fingerprint is correct");
		LOG(DEBUG) << "DNS over TLS fingerprint is correct";
		}

		ALOGV("%u handshake complete", mMark);
		LOG(DEBUG) << mMark << " handshake complete";

		return ssl;
		}
		@@ -306,7 +306,7 @@ void DnsTlsSocket::sslDisconnect() {
		}

		bool DnsTlsSocket::sslWrite(const Slice buffer) {
		ALOGV("%u Writing %zu bytes", mMark, buffer.size());
		LOG(DEBUG) << mMark << " Writing " << buffer.size() << " bytes";
		for (;;) {
		int ret = SSL_write(mSsl.get(), buffer.base(), buffer.size());
		if (ret == int(buffer.size())) break; // SSL write complete;
		@@ -316,19 +316,19 @@ bool DnsTlsSocket::sslWrite(const Slice buffer) {
		switch (ssl_err) {
		case SSL_ERROR_WANT_WRITE:
		if (waitForWriting(mSslFd.get()) != 1) {
		ALOGV("SSL_write error");
		LOG(DEBUG) << "SSL_write error";
		return false;
		}
		continue;
		case 0:
		break; // SSL write complete;
		default:
		ALOGV("SSL_write error %d", ssl_err);
		LOG(DEBUG) << "SSL_write error " << ssl_err;
		return false;
		}
		}
		}
		ALOGV("%u Wrote %zu bytes", mMark, buffer.size());
		LOG(DEBUG) << mMark << " Wrote " << buffer.size() << " bytes";
		return true;
		}

		@@ -359,16 +359,16 @@ void DnsTlsSocket::loop() {

		const int s = TEMP_FAILURE_RETRY(poll(fds, std::size(fds), timeout_msecs));
		if (s == 0) {
		ALOGV("Idle timeout");
		LOG(DEBUG) << "Idle timeout";
		break;
		}
		if (s < 0) {
		ALOGV("Poll failed: %d", errno);
		LOG(DEBUG) << "Poll failed: " << errno;
		break;
		}
		if (fds[SSLFD].revents & (POLLIN \| POLLERR \| POLLHUP)) {
		if (!readResponse()) {
		ALOGV("SSL remote close or read error.");
		LOG(DEBUG) << "SSL remote close or read error.";
		break;
		}
		}
		@@ -376,16 +376,16 @@ void DnsTlsSocket::loop() {
		int64_t num_queries;
		ssize_t res = read(mEventFd.get(), &num_queries, sizeof(num_queries));
		if (res < 0) {
		ALOGW("Error during eventfd read");
		LOG(WARNING) << "Error during eventfd read";
		break;
		} else if (res == 0) {
		ALOGW("eventfd closed; disconnecting");
		LOG(WARNING) << "eventfd closed; disconnecting";
		break;
		} else if (res != sizeof(num_queries)) {
		ALOGE("Int size mismatch: %zd != %zu", res, sizeof(num_queries));
		LOG(ERROR) << "Int size mismatch: " << res << " != " << sizeof(num_queries);
		break;
		} else if (num_queries < 0) {
		ALOGV("Negative eventfd read indicates destructor-initiated shutdown");
		LOG(DEBUG) << "Negative eventfd read indicates destructor-initiated shutdown";
		break;
		}
		// Take ownership of all pending queries. (q is always empty here.)
		@@ -402,31 +402,31 @@ void DnsTlsSocket::loop() {
		q.pop_front();
		}
		}
		ALOGV("Disconnecting");
		LOG(DEBUG) << "Disconnecting";
		sslDisconnect();
		ALOGV("Calling onClosed");
		LOG(DEBUG) << "Calling onClosed";
		mObserver->onClosed();
		ALOGV("Ending loop");
		LOG(DEBUG) << "Ending loop";
		}

		DnsTlsSocket::~DnsTlsSocket() {
		ALOGV("Destructor");
		LOG(DEBUG) << "Destructor";
		// This will trigger an orderly shutdown in loop().
		requestLoopShutdown();
		{
		// Wait for the orderly shutdown to complete.
		std::lock_guard guard(mLock);
		if (mLoopThread && std::this_thread::get_id() == mLoopThread->get_id()) {
		ALOGE("Violation of re-entrance precondition");
		LOG(ERROR) << "Violation of re-entrance precondition";
		return;
		}
		}
		if (mLoopThread) {
		ALOGV("Waiting for loop thread to terminate");
		LOG(DEBUG) << "Waiting for loop thread to terminate";
		mLoopThread->join();
		mLoopThread.reset();
		}
		ALOGV("Destructor completed");
		LOG(DEBUG) << "Destructor completed";
		}

		bool DnsTlsSocket::query(uint16_t id, const Slice query) {
		@@ -457,12 +457,12 @@ void DnsTlsSocket::requestLoopShutdown() {

		bool DnsTlsSocket::incrementEventFd(const int64_t count) {
		if (mEventFd == -1) {
		ALOGE("eventfd is not initialized");
		LOG(ERROR) << "eventfd is not initialized";
		return false;
		}
		ssize_t written = write(mEventFd.get(), &count, sizeof(count));
		if (written != sizeof(count)) {
		ALOGE("Failed to increment eventfd by %" PRId64, count);
		LOG(ERROR) << "Failed to increment eventfd by " << count;
		return false;
		}
		return true;
		@@ -474,8 +474,9 @@ int DnsTlsSocket::sslRead(const Slice buffer, bool wait) {
		while (remaining > 0) {
		int ret = SSL_read(mSsl.get(), buffer.limit() - remaining, remaining);
		if (ret == 0) {
		ALOGW_IF(remaining < buffer.size(), "SSL closed with %zu of %zu bytes remaining",
		remaining, buffer.size());
		if (remaining < buffer.size())
		LOG(WARNING) << "SSL closed with " << remaining << " of " << buffer.size()
		<< " bytes remaining";
		return SSL_ERROR_ZERO_RETURN;
		}

		@@ -483,12 +484,12 @@ int DnsTlsSocket::sslRead(const Slice buffer, bool wait) {
		const int ssl_err = SSL_get_error(mSsl.get(), ret);
		if (wait && ssl_err == SSL_ERROR_WANT_READ) {
		if (waitForReading(mSslFd.get()) != 1) {
		ALOGV("Poll failed in sslRead: %d", errno);
		LOG(DEBUG) << "Poll failed in sslRead: " << errno;
		return SSL_ERROR_SYSCALL;
		}
		continue;
		} else {
		ALOGV("SSL_read error %d", ssl_err);
		LOG(DEBUG) << "SSL_read error " << ssl_err;
		return ssl_err;
		}
		}
		@@ -503,16 +504,16 @@ bool DnsTlsSocket::sendQuery(const std::vector<uint8_t>& buf) {
		if (!sslWrite(netdutils::makeSlice(buf))) {
		return false;
		}
		ALOGV("%u SSL_write complete", mMark);
		LOG(DEBUG) << mMark << " SSL_write complete";
		return true;
		}

		bool DnsTlsSocket::readResponse() {
		ALOGV("reading response");
		LOG(DEBUG) << "reading response";
		uint8_t responseHeader[2];
		int err = sslRead(Slice(responseHeader, 2), false);
		if (err == SSL_ERROR_WANT_READ) {
		ALOGV("Ignoring spurious wakeup from server");
		LOG(DEBUG) << "Ignoring spurious wakeup from server";
		return true;
		}
		if (err != SSL_ERROR_NONE) {
		@@ -522,10 +523,10 @@ bool DnsTlsSocket::readResponse() {
		// always invalid when truncated, so the response will be treated as an error.
		constexpr uint16_t MAX_SIZE = 8192;
		const uint16_t responseSize = (responseHeader[0] << 8) \| responseHeader[1];
		ALOGV("%u Expecting response of size %i", mMark, responseSize);
		LOG(DEBUG) << mMark << " Expecting response of size " << responseSize;
		std::vector<uint8_t> response(std::min(responseSize, MAX_SIZE));
		if (sslRead(netdutils::makeSlice(response), true) != SSL_ERROR_NONE) {
		ALOGV("%u Failed to read %zu bytes", mMark, response.size());
		LOG(DEBUG) << mMark << " Failed to read " << response.size() << " bytes";
		return false;
		}
		uint16_t remainingBytes = responseSize - response.size();
		@@ -533,12 +534,12 @@ bool DnsTlsSocket::readResponse() {
		constexpr uint16_t CHUNK_SIZE = 2048;
		std::vector<uint8_t> discard(std::min(remainingBytes, CHUNK_SIZE));
		if (sslRead(netdutils::makeSlice(discard), true) != SSL_ERROR_NONE) {
		ALOGV("%u Failed to discard %zu bytes", mMark, discard.size());
		LOG(DEBUG) << mMark << " Failed to discard " << discard.size() << " bytes";
		return false;
		}
		remainingBytes -= discard.size();
		}
		ALOGV("%u SSL_read complete", mMark);
		LOG(DEBUG) << mMark << " SSL_read complete";

		mObserver->onResponse(std::move(response));
		return true;