1 /*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "DnsTlsSocket"
18 //#define LOG_NDEBUG 0
19
20 #include "dns/DnsTlsSocket.h"
21
22 #include <arpa/inet.h>
23 #include <arpa/nameser.h>
24 #include <errno.h>
25 #include <linux/tcp.h>
26 #include <openssl/err.h>
27 #include <sys/eventfd.h>
28 #include <sys/poll.h>
29 #include <algorithm>
30
31 #include "dns/DnsTlsSessionCache.h"
32 #include "dns/IDnsTlsSocketObserver.h"
33
34 #include "log/log.h"
35 #include "netdutils/SocketOption.h"
36 #include "Fwmark.h"
37 #undef ADD // already defined in nameser.h
38 #include "NetdConstants.h"
39 #include "Permission.h"
40
41
42 namespace android {
43
44 using netdutils::enableSockopt;
45 using netdutils::enableTcpKeepAlives;
46 using netdutils::isOk;
47 using netdutils::Status;
48
49 namespace net {
50 namespace {
51
52 constexpr const char kCaCertDir[] = "/system/etc/security/cacerts";
53
waitForReading(int fd)54 int waitForReading(int fd) {
55 struct pollfd fds = { .fd = fd, .events = POLLIN };
56 const int ret = TEMP_FAILURE_RETRY(poll(&fds, 1, -1));
57 return ret;
58 }
59
waitForWriting(int fd)60 int waitForWriting(int fd) {
61 struct pollfd fds = { .fd = fd, .events = POLLOUT };
62 const int ret = TEMP_FAILURE_RETRY(poll(&fds, 1, -1));
63 return ret;
64 }
65
66 } // namespace
67
tcpConnect()68 Status DnsTlsSocket::tcpConnect() {
69 ALOGV("%u connecting TCP socket", mMark);
70 int type = SOCK_NONBLOCK | SOCK_CLOEXEC;
71 switch (mServer.protocol) {
72 case IPPROTO_TCP:
73 type |= SOCK_STREAM;
74 break;
75 default:
76 return Status(EPROTONOSUPPORT);
77 }
78
79 mSslFd.reset(socket(mServer.ss.ss_family, type, mServer.protocol));
80 if (mSslFd.get() == -1) {
81 ALOGE("Failed to create socket");
82 return Status(errno);
83 }
84
85 const socklen_t len = sizeof(mMark);
86 if (setsockopt(mSslFd.get(), SOL_SOCKET, SO_MARK, &mMark, len) == -1) {
87 ALOGE("Failed to set socket mark");
88 mSslFd.reset();
89 return Status(errno);
90 }
91
92 const Status tfo = enableSockopt(mSslFd.get(), SOL_TCP, TCP_FASTOPEN_CONNECT);
93 if (!isOk(tfo) && tfo.code() != ENOPROTOOPT) {
94 ALOGI("Failed to enable TFO: %s", tfo.msg().c_str());
95 }
96
97 // Send 5 keepalives, 3 seconds apart, after 15 seconds of inactivity.
98 enableTcpKeepAlives(mSslFd.get(), 15U, 5U, 3U);
99
100 if (connect(mSslFd.get(), reinterpret_cast<const struct sockaddr *>(&mServer.ss),
101 sizeof(mServer.ss)) != 0 &&
102 errno != EINPROGRESS) {
103 ALOGV("Socket failed to connect");
104 mSslFd.reset();
105 return Status(errno);
106 }
107
108 return netdutils::status::ok;
109 }
110
getSPKIDigest(const X509 * cert,std::vector<uint8_t> * out)111 bool getSPKIDigest(const X509* cert, std::vector<uint8_t>* out) {
112 int spki_len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
113 unsigned char spki[spki_len];
114 unsigned char* temp = spki;
115 if (spki_len != i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp)) {
116 ALOGW("SPKI length mismatch");
117 return false;
118 }
119 out->resize(SHA256_SIZE);
120 unsigned int digest_len = 0;
121 int ret = EVP_Digest(spki, spki_len, out->data(), &digest_len, EVP_sha256(), NULL);
122 if (ret != 1) {
123 ALOGW("Server cert digest extraction failed");
124 return false;
125 }
126 if (digest_len != out->size()) {
127 ALOGW("Wrong digest length: %d", digest_len);
128 return false;
129 }
130 return true;
131 }
132
initialize()133 bool DnsTlsSocket::initialize() {
134 // This method should only be called once, at the beginning, so locking should be
135 // unnecessary. This lock only serves to help catch bugs in code that calls this method.
136 std::lock_guard<std::mutex> guard(mLock);
137 if (mSslCtx) {
138 // This is a bug in the caller.
139 return false;
140 }
141 mSslCtx.reset(SSL_CTX_new(TLS_method()));
142 if (!mSslCtx) {
143 return false;
144 }
145
146 // Load system CA certs for hostname verification.
147 //
148 // For discussion of alternative, sustainable approaches see b/71909242.
149 if (SSL_CTX_load_verify_locations(mSslCtx.get(), nullptr, kCaCertDir) != 1) {
150 ALOGE("Failed to load CA cert dir: %s", kCaCertDir);
151 return false;
152 }
153
154 // Enable TLS false start
155 SSL_CTX_set_false_start_allowed_without_alpn(mSslCtx.get(), 1);
156 SSL_CTX_set_mode(mSslCtx.get(), SSL_MODE_ENABLE_FALSE_START);
157
158 // Enable session cache
159 mCache->prepareSslContext(mSslCtx.get());
160
161 // Connect
162 Status status = tcpConnect();
163 if (!status.ok()) {
164 return false;
165 }
166 mSsl = sslConnect(mSslFd.get());
167 if (!mSsl) {
168 return false;
169 }
170
171 mEventFd.reset(eventfd(0, EFD_NONBLOCK | EFD_CLOEXEC));
172
173 // Start the I/O loop.
174 mLoopThread.reset(new std::thread(&DnsTlsSocket::loop, this));
175
176 return true;
177 }
178
sslConnect(int fd)179 bssl::UniquePtr<SSL> DnsTlsSocket::sslConnect(int fd) {
180 if (!mSslCtx) {
181 ALOGE("Internal error: context is null in sslConnect");
182 return nullptr;
183 }
184 if (!SSL_CTX_set_min_proto_version(mSslCtx.get(), TLS1_2_VERSION)) {
185 ALOGE("Failed to set minimum TLS version");
186 return nullptr;
187 }
188
189 bssl::UniquePtr<SSL> ssl(SSL_new(mSslCtx.get()));
190 // This file descriptor is owned by mSslFd, so don't let libssl close it.
191 bssl::UniquePtr<BIO> bio(BIO_new_socket(fd, BIO_NOCLOSE));
192 SSL_set_bio(ssl.get(), bio.get(), bio.get());
193 bio.release();
194
195 if (!mCache->prepareSsl(ssl.get())) {
196 return nullptr;
197 }
198
199 if (!mServer.name.empty()) {
200 if (SSL_set_tlsext_host_name(ssl.get(), mServer.name.c_str()) != 1) {
201 ALOGE("Failed to set SNI to %s", mServer.name.c_str());
202 return nullptr;
203 }
204 X509_VERIFY_PARAM* param = SSL_get0_param(ssl.get());
205 if (X509_VERIFY_PARAM_set1_host(param, mServer.name.data(), mServer.name.size()) != 1) {
206 ALOGE("Failed to set verify host param to %s", mServer.name.c_str());
207 return nullptr;
208 }
209 // This will cause the handshake to fail if certificate verification fails.
210 SSL_set_verify(ssl.get(), SSL_VERIFY_PEER, nullptr);
211 }
212
213 bssl::UniquePtr<SSL_SESSION> session = mCache->getSession();
214 if (session) {
215 ALOGV("Setting session");
216 SSL_set_session(ssl.get(), session.get());
217 } else {
218 ALOGV("No session available");
219 }
220
221 for (;;) {
222 ALOGV("%u Calling SSL_connect", mMark);
223 int ret = SSL_connect(ssl.get());
224 ALOGV("%u SSL_connect returned %d", mMark, ret);
225 if (ret == 1) break; // SSL handshake complete;
226
227 const int ssl_err = SSL_get_error(ssl.get(), ret);
228 switch (ssl_err) {
229 case SSL_ERROR_WANT_READ:
230 if (waitForReading(fd) != 1) {
231 ALOGW("SSL_connect read error: %d", errno);
232 return nullptr;
233 }
234 break;
235 case SSL_ERROR_WANT_WRITE:
236 if (waitForWriting(fd) != 1) {
237 ALOGW("SSL_connect write error");
238 return nullptr;
239 }
240 break;
241 default:
242 ALOGW("SSL_connect error %d, errno=%d", ssl_err, errno);
243 return nullptr;
244 }
245 }
246
247 // TODO: Call SSL_shutdown before discarding the session if validation fails.
248 if (!mServer.fingerprints.empty()) {
249 ALOGV("Checking DNS over TLS fingerprint");
250
251 // We only care that the chain is internally self-consistent, not that
252 // it chains to a trusted root, so we can ignore some kinds of errors.
253 // TODO: Add a CA root verification mode that respects these errors.
254 int verify_result = SSL_get_verify_result(ssl.get());
255 switch (verify_result) {
256 case X509_V_OK:
257 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
258 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
259 case X509_V_ERR_CERT_UNTRUSTED:
260 break;
261 default:
262 ALOGW("Invalid certificate chain, error %d", verify_result);
263 return nullptr;
264 }
265
266 STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl.get());
267 if (!chain) {
268 ALOGW("Server has null certificate");
269 return nullptr;
270 }
271 // Chain and its contents are owned by ssl, so we don't need to free explicitly.
272 bool matched = false;
273 for (size_t i = 0; i < sk_X509_num(chain); ++i) {
274 // This appears to be O(N^2), but there doesn't seem to be a straightforward
275 // way to walk a STACK_OF nondestructively in linear time.
276 X509* cert = sk_X509_value(chain, i);
277 std::vector<uint8_t> digest;
278 if (!getSPKIDigest(cert, &digest)) {
279 ALOGE("Digest computation failed");
280 return nullptr;
281 }
282
283 if (mServer.fingerprints.count(digest) > 0) {
284 matched = true;
285 break;
286 }
287 }
288
289 if (!matched) {
290 ALOGW("No matching fingerprint");
291 return nullptr;
292 }
293
294 ALOGV("DNS over TLS fingerprint is correct");
295 }
296
297 ALOGV("%u handshake complete", mMark);
298
299 return ssl;
300 }
301
sslDisconnect()302 void DnsTlsSocket::sslDisconnect() {
303 if (mSsl) {
304 SSL_shutdown(mSsl.get());
305 mSsl.reset();
306 }
307 mSslFd.reset();
308 }
309
sslWrite(const Slice buffer)310 bool DnsTlsSocket::sslWrite(const Slice buffer) {
311 ALOGV("%u Writing %zu bytes", mMark, buffer.size());
312 for (;;) {
313 int ret = SSL_write(mSsl.get(), buffer.base(), buffer.size());
314 if (ret == int(buffer.size())) break; // SSL write complete;
315
316 if (ret < 1) {
317 const int ssl_err = SSL_get_error(mSsl.get(), ret);
318 switch (ssl_err) {
319 case SSL_ERROR_WANT_WRITE:
320 if (waitForWriting(mSslFd.get()) != 1) {
321 ALOGV("SSL_write error");
322 return false;
323 }
324 continue;
325 case 0:
326 break; // SSL write complete;
327 default:
328 ALOGV("SSL_write error %d", ssl_err);
329 return false;
330 }
331 }
332 }
333 ALOGV("%u Wrote %zu bytes", mMark, buffer.size());
334 return true;
335 }
336
loop()337 void DnsTlsSocket::loop() {
338 std::lock_guard<std::mutex> guard(mLock);
339 std::deque<std::vector<uint8_t>> q;
340
341 const int timeout_msecs = DnsTlsSocket::kIdleTimeout.count() * 1000;
342 while (true) {
343 // poll() ignores negative fds
344 struct pollfd fds[2] = { { .fd = -1 }, { .fd = -1 } };
345 enum { SSLFD = 0, EVENTFD = 1 };
346
347 // Always listen for a response from server.
348 fds[SSLFD].fd = mSslFd.get();
349 fds[SSLFD].events = POLLIN;
350
351 // If we have pending queries, wait for space to write one.
352 // Otherwise, listen for new queries.
353 // Note: This blocks the destructor until q is empty, i.e. until all pending
354 // queries are sent or have failed to send.
355 if (!q.empty()) {
356 fds[SSLFD].events |= POLLOUT;
357 } else {
358 fds[EVENTFD].fd = mEventFd.get();
359 fds[EVENTFD].events = POLLIN;
360 }
361
362 const int s = TEMP_FAILURE_RETRY(poll(fds, ARRAY_SIZE(fds), timeout_msecs));
363 if (s == 0) {
364 ALOGV("Idle timeout");
365 break;
366 }
367 if (s < 0) {
368 ALOGV("Poll failed: %d", errno);
369 break;
370 }
371 if (fds[SSLFD].revents & (POLLIN | POLLERR | POLLHUP)) {
372 if (!readResponse()) {
373 ALOGV("SSL remote close or read error.");
374 break;
375 }
376 }
377 if (fds[EVENTFD].revents & (POLLIN | POLLERR)) {
378 int64_t num_queries;
379 ssize_t res = read(mEventFd.get(), &num_queries, sizeof(num_queries));
380 if (res < 0) {
381 ALOGW("Error during eventfd read");
382 break;
383 } else if (res == 0) {
384 ALOGW("eventfd closed; disconnecting");
385 break;
386 } else if (res != sizeof(num_queries)) {
387 ALOGE("Int size mismatch: %zd != %zu", res, sizeof(num_queries));
388 break;
389 } else if (num_queries < 0) {
390 ALOGV("Negative eventfd read indicates destructor-initiated shutdown");
391 break;
392 }
393 // Take ownership of all pending queries. (q is always empty here.)
394 mQueue.swap(q);
395 } else if (fds[SSLFD].revents & POLLOUT) {
396 // q cannot be empty here.
397 // Sending the entire queue here would risk a TCP flow control deadlock, so
398 // we only send a single query on each cycle of this loop.
399 // TODO: Coalesce multiple pending queries if there is enough space in the
400 // write buffer.
401 if (!sendQuery(q.front())) {
402 break;
403 }
404 q.pop_front();
405 }
406 }
407 ALOGV("Disconnecting");
408 sslDisconnect();
409 ALOGV("Calling onClosed");
410 mObserver->onClosed();
411 ALOGV("Ending loop");
412 }
413
~DnsTlsSocket()414 DnsTlsSocket::~DnsTlsSocket() {
415 ALOGV("Destructor");
416 // This will trigger an orderly shutdown in loop().
417 requestLoopShutdown();
418 {
419 // Wait for the orderly shutdown to complete.
420 std::lock_guard<std::mutex> guard(mLock);
421 if (mLoopThread && std::this_thread::get_id() == mLoopThread->get_id()) {
422 ALOGE("Violation of re-entrance precondition");
423 return;
424 }
425 }
426 if (mLoopThread) {
427 ALOGV("Waiting for loop thread to terminate");
428 mLoopThread->join();
429 mLoopThread.reset();
430 }
431 ALOGV("Destructor completed");
432 }
433
query(uint16_t id,const Slice query)434 bool DnsTlsSocket::query(uint16_t id, const Slice query) {
435 // Compose the entire message in a single buffer, so that it can be
436 // sent as a single TLS record.
437 std::vector<uint8_t> buf(query.size() + 4);
438 // Write 2-byte length
439 uint16_t len = query.size() + 2; // + 2 for the ID.
440 buf[0] = len >> 8;
441 buf[1] = len;
442 // Write 2-byte ID
443 buf[2] = id >> 8;
444 buf[3] = id;
445 // Copy body
446 std::memcpy(buf.data() + 4, query.base(), query.size());
447
448 mQueue.push(std::move(buf));
449 // Increment the mEventFd counter by 1.
450 return incrementEventFd(1);
451 }
452
requestLoopShutdown()453 void DnsTlsSocket::requestLoopShutdown() {
454 // Write a negative number to the eventfd. This triggers an immediate shutdown.
455 incrementEventFd(INT64_MIN);
456 }
457
incrementEventFd(const int64_t count)458 bool DnsTlsSocket::incrementEventFd(const int64_t count) {
459 if (!mEventFd) {
460 ALOGV("eventfd is not initialized");
461 return false;
462 }
463 int written = write(mEventFd.get(), &count, sizeof(count));
464 if (written != sizeof(count)) {
465 ALOGE("Failed to increment eventfd by %" PRId64, count);
466 return false;
467 }
468 return true;
469 }
470
471 // Read exactly len bytes into buffer or fail with an SSL error code
sslRead(const Slice buffer,bool wait)472 int DnsTlsSocket::sslRead(const Slice buffer, bool wait) {
473 size_t remaining = buffer.size();
474 while (remaining > 0) {
475 int ret = SSL_read(mSsl.get(), buffer.limit() - remaining, remaining);
476 if (ret == 0) {
477 ALOGW_IF(remaining < buffer.size(), "SSL closed with %zu of %zu bytes remaining",
478 remaining, buffer.size());
479 return SSL_ERROR_ZERO_RETURN;
480 }
481
482 if (ret < 0) {
483 const int ssl_err = SSL_get_error(mSsl.get(), ret);
484 if (wait && ssl_err == SSL_ERROR_WANT_READ) {
485 if (waitForReading(mSslFd.get()) != 1) {
486 ALOGV("Poll failed in sslRead: %d", errno);
487 return SSL_ERROR_SYSCALL;
488 }
489 continue;
490 } else {
491 ALOGV("SSL_read error %d", ssl_err);
492 return ssl_err;
493 }
494 }
495
496 remaining -= ret;
497 wait = true; // Once a read is started, try to finish.
498 }
499 return SSL_ERROR_NONE;
500 }
501
sendQuery(const std::vector<uint8_t> & buf)502 bool DnsTlsSocket::sendQuery(const std::vector<uint8_t>& buf) {
503 if (!sslWrite(netdutils::makeSlice(buf))) {
504 return false;
505 }
506 ALOGV("%u SSL_write complete", mMark);
507 return true;
508 }
509
readResponse()510 bool DnsTlsSocket::readResponse() {
511 ALOGV("reading response");
512 uint8_t responseHeader[2];
513 int err = sslRead(Slice(responseHeader, 2), false);
514 if (err == SSL_ERROR_WANT_READ) {
515 ALOGV("Ignoring spurious wakeup from server");
516 return true;
517 }
518 if (err != SSL_ERROR_NONE) {
519 return false;
520 }
521 // Truncate responses larger than MAX_SIZE. This is safe because a DNS packet is
522 // always invalid when truncated, so the response will be treated as an error.
523 constexpr uint16_t MAX_SIZE = 8192;
524 const uint16_t responseSize = (responseHeader[0] << 8) | responseHeader[1];
525 ALOGV("%u Expecting response of size %i", mMark, responseSize);
526 std::vector<uint8_t> response(std::min(responseSize, MAX_SIZE));
527 if (sslRead(netdutils::makeSlice(response), true) != SSL_ERROR_NONE) {
528 ALOGV("%u Failed to read %zu bytes", mMark, response.size());
529 return false;
530 }
531 uint16_t remainingBytes = responseSize - response.size();
532 while (remainingBytes > 0) {
533 constexpr uint16_t CHUNK_SIZE = 2048;
534 std::vector<uint8_t> discard(std::min(remainingBytes, CHUNK_SIZE));
535 if (sslRead(netdutils::makeSlice(discard), true) != SSL_ERROR_NONE) {
536 ALOGV("%u Failed to discard %zu bytes", mMark, discard.size());
537 return false;
538 }
539 remainingBytes -= discard.size();
540 }
541 ALOGV("%u SSL_read complete", mMark);
542
543 mObserver->onResponse(std::move(response));
544 return true;
545 }
546
547 } // end of namespace net
548 } // end of namespace android
549