summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-transaction.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
-rw-r--r--src/resolve/resolved-dns-transaction.c267
1 files changed, 185 insertions, 82 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index f4bbde0219..c60b8215a6 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -1,22 +1,4 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
-/***
- This file is part of systemd.
-
- Copyright 2014 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
#include "sd-messages.h"
@@ -31,9 +13,16 @@
#include "resolved-llmnr.h"
#include "string-table.h"
+#if ENABLE_DNS_OVER_TLS
+#include <gnutls/socket.h>
+#endif
+
#define TRANSACTIONS_MAX 4096
#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
+/* After how much time to repeat classic DNS requests */
+#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
+
static void dns_transaction_reset_answer(DnsTransaction *t) {
assert(t);
@@ -64,9 +53,11 @@ static void dns_transaction_close_connection(DnsTransaction *t) {
if (t->stream) {
/* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
- t->stream->complete = NULL;
- t->stream->on_packet = NULL;
- t->stream->transaction = NULL;
+ LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
+
+ /* Remove packet in case it's still in the queue */
+ dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
+
t->stream = dns_stream_unref(t->stream);
}
@@ -326,8 +317,7 @@ void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
"DNS_QUESTION=%s", key_str,
"DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
"DNS_SERVER=%s", dns_server_string(t->server),
- "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level),
- NULL);
+ "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
}
/* Note that this call might invalidate the query. Callers
@@ -462,42 +452,33 @@ static int dns_transaction_maybe_restart(DnsTransaction *t) {
return 1;
}
-static int on_stream_complete(DnsStream *s, int error) {
- _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
- DnsTransaction *t;
-
- assert(s);
- assert(s->transaction);
-
- /* Copy the data we care about out of the stream before we
- * destroy it. */
- t = s->transaction;
- p = dns_packet_ref(s->read_packet);
+static void on_transaction_stream_error(DnsTransaction *t, int error) {
+ assert(t);
dns_transaction_close_connection(t);
if (ERRNO_IS_DISCONNECT(error)) {
- usec_t usec;
-
if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
/* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
* question on this scope. */
dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
- return 0;
+ return;
}
- log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
- assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
- dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level, usec - t->start_usec);
-
dns_transaction_retry(t, true);
- return 0;
+ return;
}
if (error != 0) {
t->answer_errno = error;
dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
- return 0;
}
+}
+
+static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) {
+ assert(t);
+ assert(p);
+
+ dns_transaction_close_connection(t);
if (dns_packet_validate_reply(p) <= 0) {
log_debug("Invalid TCP reply packet.");
@@ -522,9 +503,83 @@ static int on_stream_complete(DnsStream *s, int error) {
return 0;
}
-static int dns_transaction_open_tcp(DnsTransaction *t) {
+static int on_stream_connection(DnsStream *s) {
+#if ENABLE_DNS_OVER_TLS
+ /* Store TLS Ticket for faster succesive TLS handshakes */
+ if (s->tls_session && s->server) {
+ if (s->server->tls_session_data.data)
+ gnutls_free(s->server->tls_session_data.data);
+
+ gnutls_session_get_data2(s->tls_session, &s->server->tls_session_data);
+ }
+#endif
+
+ return 0;
+}
+
+static int on_stream_complete(DnsStream *s, int error) {
+ DnsTransaction *t, *n;
+ int r = 0;
+
+ /* Do not let new transactions use this stream */
+ if (s->server && s->server->stream == s)
+ s->server->stream = dns_stream_unref(s->server->stream);
+
+ if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
+ usec_t usec;
+
+ log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
+
+ if (s->transactions) {
+ t = s->transactions;
+ assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
+ dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
+ }
+ }
+
+ LIST_FOREACH_SAFE(transactions_by_stream, t, n, s->transactions)
+ if (error != 0)
+ on_transaction_stream_error(t, error);
+ else if (DNS_PACKET_ID(s->read_packet) == t->id)
+ /* As each transaction have a unique id the return code is only set once */
+ r = dns_transaction_on_stream_packet(t, s->read_packet);
+
+ return r;
+}
+
+static int dns_stream_on_packet(DnsStream *s) {
+ _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+ int r = 0;
+ DnsTransaction *t;
+
+ /* Take ownership of packet to be able to receive new packets */
+ p = TAKE_PTR(s->read_packet);
+ s->n_read = 0;
+
+ t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
+
+ /* Ignore incorrect transaction id as transaction can have been canceled */
+ if (t)
+ r = dns_transaction_on_stream_packet(t, p);
+ else {
+ if (dns_packet_validate_reply(p) <= 0) {
+ log_debug("Invalid TCP reply packet.");
+ on_stream_complete(s, 0);
+ }
+ return 0;
+ }
+
+ return r;
+}
+
+static int dns_transaction_emit_tcp(DnsTransaction *t) {
_cleanup_close_ int fd = -1;
+ _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
+ union sockaddr_union sa;
int r;
+#if ENABLE_DNS_OVER_TLS
+ gnutls_session_t gs;
+#endif
assert(t);
@@ -544,13 +599,17 @@ static int dns_transaction_open_tcp(DnsTransaction *t) {
if (r < 0)
return r;
- fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, 53);
+ if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
+ s = dns_stream_ref(t->server->stream);
+ else
+ fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53, &sa);
+
break;
case DNS_PROTOCOL_LLMNR:
/* When we already received a reply to this (but it was truncated), send to its sender address */
if (t->received)
- fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port);
+ fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
else {
union in_addr_union address;
int family = AF_UNSPEC;
@@ -567,7 +626,7 @@ static int dns_transaction_open_tcp(DnsTransaction *t) {
if (family != t->scope->family)
return -ESRCH;
- fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT);
+ fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
}
break;
@@ -576,28 +635,67 @@ static int dns_transaction_open_tcp(DnsTransaction *t) {
return -EAFNOSUPPORT;
}
- if (fd < 0)
- return fd;
+ if (!s) {
+ if (fd < 0)
+ return fd;
- r = dns_stream_new(t->scope->manager, &t->stream, t->scope->protocol, fd);
- if (r < 0)
- return r;
- fd = -1;
+ r = dns_stream_new(t->scope->manager, &s, t->scope->protocol, fd, &sa);
+ if (r < 0)
+ return r;
+
+ fd = -1;
+
+ if (t->server) {
+ dns_stream_unref(t->server->stream);
+ t->server->stream = dns_stream_ref(s);
+ s->server = dns_server_ref(t->server);
+ }
+
+#if ENABLE_DNS_OVER_TLS
+ if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
+ r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
+ if (r < 0)
+ return r;
+
+ /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
+ r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL);
+ if (r < 0)
+ return r;
+
+ r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, t->server->tls_cert_cred);
+ if (r < 0)
+ return r;
+
+ if (t->server && t->server->tls_session_data.size > 0)
+ gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size);
+
+ gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
+
+ r = dns_stream_connect_tls(s, gs);
+ if (r < 0)
+ return r;
+ }
+#endif
+
+ s->on_connection = on_stream_connection;
+ s->complete = on_stream_complete;
+ s->on_packet = dns_stream_on_packet;
+
+ /* The interface index is difficult to determine if we are
+ * connecting to the local host, hence fill this in right away
+ * instead of determining it from the socket */
+ s->ifindex = dns_scope_ifindex(t->scope);
+ }
+
+ t->stream = TAKE_PTR(s);
+ LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
r = dns_stream_write_packet(t->stream, t->sent);
if (r < 0) {
- t->stream = dns_stream_unref(t->stream);
+ dns_transaction_close_connection(t);
return r;
}
- t->stream->complete = on_stream_complete;
- t->stream->transaction = t;
-
- /* The interface index is difficult to determine if we are
- * connecting to the local host, hence fill this in right away
- * instead of determining it from the socket */
- t->stream->ifindex = dns_scope_ifindex(t->scope);
-
dns_transaction_reset_answer(t);
t->tried_stream = true;
@@ -691,7 +789,6 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) {
dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
return 0;
-
default:
log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
goto fail;
@@ -845,7 +942,8 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
* should hence not attempt to access the query or transaction
* after calling this function. */
- log_debug("Processing incoming packet on transaction %" PRIu16". (rcode=%s)", t->id, dns_rcode_to_string(DNS_PACKET_RCODE(p)));
+ log_debug("Processing incoming packet on transaction %" PRIu16" (rcode=%s).",
+ t->id, dns_rcode_to_string(DNS_PACKET_RCODE(p)));
switch (t->scope->protocol) {
@@ -944,7 +1042,17 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
}
/* Reduce this feature level by one and try again. */
- t->clamp_feature_level = t->current_feature_level - 1;
+ switch (t->current_feature_level) {
+ case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
+ t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
+ break;
+ case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
+ /* Skip plain TLS when TLS is not supported */
+ t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
+ break;
+ default:
+ t->clamp_feature_level = t->current_feature_level - 1;
+ }
log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
dns_rcode_to_string(DNS_PACKET_RCODE(p)),
@@ -986,7 +1094,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
log_debug("Reply truncated, retrying via TCP.");
/* Response was truncated, let's try again with good old TCP */
- r = dns_transaction_open_tcp(t);
+ r = dns_transaction_emit_tcp(t);
if (r == -ESRCH) {
/* No servers found? Damn! */
dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
@@ -1030,7 +1138,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
dns_server_packet_bad_opt(t->server, t->current_feature_level);
/* Report that we successfully received a packet */
- dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, ts - t->start_usec, p->size);
+ dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, p->size);
}
/* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
@@ -1119,7 +1227,7 @@ static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *use
log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
- dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
+ dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
dns_transaction_retry(t, true);
return 0;
@@ -1160,7 +1268,7 @@ static int dns_transaction_emit_udp(DnsTransaction *t) {
if (r < 0)
return r;
- if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP)
+ if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
@@ -1212,7 +1320,7 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat
case DNS_PROTOCOL_DNS:
assert(t->server);
- dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
+ dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
break;
case DNS_PROTOCOL_LLMNR:
@@ -1238,7 +1346,6 @@ static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
assert(t);
assert(t->scope);
-
switch (t->scope->protocol) {
case DNS_PROTOCOL_DNS:
@@ -1249,8 +1356,7 @@ static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
if (t->stream)
return TRANSACTION_TCP_TIMEOUT_USEC;
- assert(t->server);
- return t->server->resend_timeout;
+ return DNS_TIMEOUT_USEC;
case DNS_PROTOCOL_MDNS:
assert(t->n_attempts > 0);
@@ -1530,8 +1636,7 @@ static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
}
DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
- t->sent = p;
- p = NULL;
+ t->sent = TAKE_PTR(p);
return 0;
}
@@ -1559,8 +1664,7 @@ static int dns_transaction_make_packet(DnsTransaction *t) {
DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
DNS_PACKET_HEADER(p)->id = t->id;
- t->sent = p;
- p = NULL;
+ t->sent = TAKE_PTR(p);
return 0;
}
@@ -1645,7 +1749,7 @@ int dns_transaction_go(DnsTransaction *t) {
/* RFC 4795, Section 2.4. says reverse lookups shall
* always be made via TCP on LLMNR */
- r = dns_transaction_open_tcp(t);
+ r = dns_transaction_emit_tcp(t);
} else {
/* Try via UDP, and if that fails due to large size or lack of
* support try via TCP */
@@ -1653,9 +1757,9 @@ int dns_transaction_go(DnsTransaction *t) {
if (r == -EMSGSIZE)
log_debug("Sending query via TCP since it is too large.");
else if (r == -EAGAIN)
- log_debug("Sending query via TCP since server doesn't support UDP.");
+ log_debug("Sending query via TCP since UDP isn't supported.");
if (IN_SET(r, -EMSGSIZE, -EAGAIN))
- r = dns_transaction_open_tcp(t);
+ r = dns_transaction_emit_tcp(t);
}
if (r == -ESRCH) {
@@ -3079,8 +3183,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
}
dns_answer_unref(t->answer);
- t->answer = validated;
- validated = NULL;
+ t->answer = TAKE_PTR(validated);
/* At this point the answer only contains validated
* RRsets. Now, let's see if it actually answers the question
View Lorry Controller Status