1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright 2014 Lennart Poettering
6 #include <netinet/tcp.h>
8 #include "alloc-util.h"
12 #include "resolved-dns-stream.h"
14 #define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC)
15 #define DNS_STREAMS_MAX 128
17 #define WRITE_TLS_DATA 1
19 static void dns_stream_stop(DnsStream
*s
) {
22 s
->io_event_source
= sd_event_source_unref(s
->io_event_source
);
23 s
->timeout_event_source
= sd_event_source_unref(s
->timeout_event_source
);
24 s
->fd
= safe_close(s
->fd
);
27 static int dns_stream_update_io(DnsStream
*s
) {
32 if (s
->write_packet
&& s
->n_written
< sizeof(s
->write_size
) + s
->write_packet
->size
)
34 else if (!ordered_set_isempty(s
->write_queue
)) {
35 dns_packet_unref(s
->write_packet
);
36 s
->write_packet
= ordered_set_steal_first(s
->write_queue
);
37 s
->write_size
= htobe16(s
->write_packet
->size
);
41 if (!s
->read_packet
|| s
->n_read
< sizeof(s
->read_size
) + s
->read_packet
->size
)
44 return sd_event_source_set_io_events(s
->io_event_source
, f
);
47 static int dns_stream_complete(DnsStream
*s
, int error
) {
51 if (s
->tls_session
&& IN_SET(error
, ETIMEDOUT
, 0)) {
54 r
= gnutls_bye(s
->tls_session
, GNUTLS_SHUT_RDWR
);
55 if (r
== GNUTLS_E_AGAIN
&& !s
->tls_bye
) {
56 dns_stream_ref(s
); /* keep reference for closing TLS session */
65 s
->complete(s
, error
);
66 else /* the default action if no completion function is set is to close the stream */
72 static int dns_stream_identify(DnsStream
*s
) {
74 struct cmsghdr header
; /* For alignment */
75 uint8_t buffer
[CMSG_SPACE(MAXSIZE(struct in_pktinfo
, struct in6_pktinfo
))
76 + EXTRA_CMSG_SPACE
/* kernel appears to require extra space */];
78 struct msghdr mh
= {};
88 /* Query the local side */
89 s
->local_salen
= sizeof(s
->local
);
90 r
= getsockname(s
->fd
, &s
->local
.sa
, &s
->local_salen
);
93 if (s
->local
.sa
.sa_family
== AF_INET6
&& s
->ifindex
<= 0)
94 s
->ifindex
= s
->local
.in6
.sin6_scope_id
;
96 /* Query the remote side */
97 s
->peer_salen
= sizeof(s
->peer
);
98 r
= getpeername(s
->fd
, &s
->peer
.sa
, &s
->peer_salen
);
101 if (s
->peer
.sa
.sa_family
== AF_INET6
&& s
->ifindex
<= 0)
102 s
->ifindex
= s
->peer
.in6
.sin6_scope_id
;
104 /* Check consistency */
105 assert(s
->peer
.sa
.sa_family
== s
->local
.sa
.sa_family
);
106 assert(IN_SET(s
->peer
.sa
.sa_family
, AF_INET
, AF_INET6
));
108 /* Query connection meta information */
109 sl
= sizeof(control
);
110 if (s
->peer
.sa
.sa_family
== AF_INET
) {
111 r
= getsockopt(s
->fd
, IPPROTO_IP
, IP_PKTOPTIONS
, &control
, &sl
);
114 } else if (s
->peer
.sa
.sa_family
== AF_INET6
) {
116 r
= getsockopt(s
->fd
, IPPROTO_IPV6
, IPV6_2292PKTOPTIONS
, &control
, &sl
);
120 return -EAFNOSUPPORT
;
122 mh
.msg_control
= &control
;
123 mh
.msg_controllen
= sl
;
125 CMSG_FOREACH(cmsg
, &mh
) {
127 if (cmsg
->cmsg_level
== IPPROTO_IPV6
) {
128 assert(s
->peer
.sa
.sa_family
== AF_INET6
);
130 switch (cmsg
->cmsg_type
) {
133 struct in6_pktinfo
*i
= (struct in6_pktinfo
*) CMSG_DATA(cmsg
);
136 s
->ifindex
= i
->ipi6_ifindex
;
141 s
->ttl
= *(int *) CMSG_DATA(cmsg
);
145 } else if (cmsg
->cmsg_level
== IPPROTO_IP
) {
146 assert(s
->peer
.sa
.sa_family
== AF_INET
);
148 switch (cmsg
->cmsg_type
) {
151 struct in_pktinfo
*i
= (struct in_pktinfo
*) CMSG_DATA(cmsg
);
154 s
->ifindex
= i
->ipi_ifindex
;
159 s
->ttl
= *(int *) CMSG_DATA(cmsg
);
165 /* The Linux kernel sets the interface index to the loopback
166 * device if the connection came from the local host since it
167 * avoids the routing table in such a case. Let's unset the
168 * interface index in such a case. */
169 if (s
->ifindex
== LOOPBACK_IFINDEX
)
172 /* If we don't know the interface index still, we look for the
173 * first local interface with a matching address. Yuck! */
175 s
->ifindex
= manager_find_ifindex(s
->manager
, s
->local
.sa
.sa_family
, s
->local
.sa
.sa_family
== AF_INET
? (union in_addr_union
*) &s
->local
.in
.sin_addr
: (union in_addr_union
*) &s
->local
.in6
.sin6_addr
);
177 if (s
->protocol
== DNS_PROTOCOL_LLMNR
&& s
->ifindex
> 0) {
178 uint32_t ifindex
= htobe32(s
->ifindex
);
180 /* Make sure all packets for this connection are sent on the same interface */
181 if (s
->local
.sa
.sa_family
== AF_INET
) {
182 r
= setsockopt(s
->fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
184 log_debug_errno(errno
, "Failed to invoke IP_UNICAST_IF: %m");
185 } else if (s
->local
.sa
.sa_family
== AF_INET6
) {
186 r
= setsockopt(s
->fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
188 log_debug_errno(errno
, "Failed to invoke IPV6_UNICAST_IF: %m");
192 s
->identified
= true;
197 static ssize_t
dns_stream_writev(DnsStream
*s
, const struct iovec
*iov
, size_t iovcnt
, int flags
) {
204 if (s
->tls_session
&& !(flags
& WRITE_TLS_DATA
)) {
209 for (i
= 0; i
< iovcnt
; i
++) {
210 ss
= gnutls_record_send(s
->tls_session
, iov
[i
].iov_base
, iov
[i
].iov_len
);
214 case GNUTLS_E_INTERRUPTED
:
219 log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss
));
225 if (ss
!= (ssize_t
) iov
[i
].iov_len
)
230 if (s
->tfo_salen
> 0) {
231 struct msghdr hdr
= {
232 .msg_iov
= (struct iovec
*) iov
,
233 .msg_iovlen
= iovcnt
,
234 .msg_name
= &s
->tfo_address
.sa
,
235 .msg_namelen
= s
->tfo_salen
238 r
= sendmsg(s
->fd
, &hdr
, MSG_FASTOPEN
);
240 if (errno
== EOPNOTSUPP
) {
242 r
= connect(s
->fd
, &s
->tfo_address
.sa
, s
->tfo_salen
);
247 } else if (errno
== EINPROGRESS
)
250 s
->tfo_salen
= 0; /* connection is made */
252 r
= writev(s
->fd
, iov
, iovcnt
);
257 static ssize_t
dns_stream_read(DnsStream
*s
, void *buf
, size_t count
) {
261 if (s
->tls_session
) {
262 ss
= gnutls_record_recv(s
->tls_session
, buf
, count
);
266 case GNUTLS_E_INTERRUPTED
:
271 log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss
));
274 } else if (s
->on_connection
) {
277 r
= s
->on_connection(s
);
278 s
->on_connection
= NULL
; /* only call once */
284 ss
= read(s
->fd
, buf
, count
);
290 static ssize_t
dns_stream_tls_writev(gnutls_transport_ptr_t p
, const giovec_t
* iov
, int iovcnt
) {
295 r
= dns_stream_writev((DnsStream
*) p
, (struct iovec
*) iov
, iovcnt
, WRITE_TLS_DATA
);
305 static int on_stream_timeout(sd_event_source
*es
, usec_t usec
, void *userdata
) {
306 DnsStream
*s
= userdata
;
310 return dns_stream_complete(s
, ETIMEDOUT
);
313 static int on_stream_io(sd_event_source
*es
, int fd
, uint32_t revents
, void *userdata
) {
314 DnsStream
*s
= userdata
;
321 assert(s
->tls_session
);
323 r
= gnutls_bye(s
->tls_session
, GNUTLS_SHUT_RDWR
);
324 if (r
!= GNUTLS_E_AGAIN
) {
332 if (s
->tls_handshake
< 0) {
333 assert(s
->tls_session
);
335 s
->tls_handshake
= gnutls_handshake(s
->tls_session
);
336 if (s
->tls_handshake
>= 0) {
337 if (s
->on_connection
&& !(gnutls_session_get_flags(s
->tls_session
) & GNUTLS_SFLAGS_FALSE_START
)) {
338 r
= s
->on_connection(s
);
339 s
->on_connection
= NULL
; /* only call once */
344 if (gnutls_error_is_fatal(s
->tls_handshake
))
345 return dns_stream_complete(s
, ECONNREFUSED
);
353 /* only identify after connecting */
354 if (s
->tfo_salen
== 0) {
355 r
= dns_stream_identify(s
);
357 return dns_stream_complete(s
, -r
);
360 if ((revents
& EPOLLOUT
) &&
362 s
->n_written
< sizeof(s
->write_size
) + s
->write_packet
->size
) {
367 iov
[0].iov_base
= &s
->write_size
;
368 iov
[0].iov_len
= sizeof(s
->write_size
);
369 iov
[1].iov_base
= DNS_PACKET_DATA(s
->write_packet
);
370 iov
[1].iov_len
= s
->write_packet
->size
;
372 IOVEC_INCREMENT(iov
, 2, s
->n_written
);
374 ss
= dns_stream_writev(s
, iov
, 2, 0);
376 if (!IN_SET(errno
, EINTR
, EAGAIN
))
377 return dns_stream_complete(s
, errno
);
381 /* Are we done? If so, disable the event source for EPOLLOUT */
382 if (s
->n_written
>= sizeof(s
->write_size
) + s
->write_packet
->size
) {
383 r
= dns_stream_update_io(s
);
385 return dns_stream_complete(s
, -r
);
389 if ((revents
& (EPOLLIN
|EPOLLHUP
|EPOLLRDHUP
)) &&
391 s
->n_read
< sizeof(s
->read_size
) + s
->read_packet
->size
)) {
393 if (s
->n_read
< sizeof(s
->read_size
)) {
396 ss
= dns_stream_read(s
, (uint8_t*) &s
->read_size
+ s
->n_read
, sizeof(s
->read_size
) - s
->n_read
);
398 if (!IN_SET(errno
, EINTR
, EAGAIN
))
399 return dns_stream_complete(s
, errno
);
401 return dns_stream_complete(s
, ECONNRESET
);
406 if (s
->n_read
>= sizeof(s
->read_size
)) {
408 if (be16toh(s
->read_size
) < DNS_PACKET_HEADER_SIZE
)
409 return dns_stream_complete(s
, EBADMSG
);
411 if (s
->n_read
< sizeof(s
->read_size
) + be16toh(s
->read_size
)) {
414 if (!s
->read_packet
) {
415 r
= dns_packet_new(&s
->read_packet
, s
->protocol
, be16toh(s
->read_size
), DNS_PACKET_SIZE_MAX
);
417 return dns_stream_complete(s
, -r
);
419 s
->read_packet
->size
= be16toh(s
->read_size
);
420 s
->read_packet
->ipproto
= IPPROTO_TCP
;
421 s
->read_packet
->family
= s
->peer
.sa
.sa_family
;
422 s
->read_packet
->ttl
= s
->ttl
;
423 s
->read_packet
->ifindex
= s
->ifindex
;
425 if (s
->read_packet
->family
== AF_INET
) {
426 s
->read_packet
->sender
.in
= s
->peer
.in
.sin_addr
;
427 s
->read_packet
->sender_port
= be16toh(s
->peer
.in
.sin_port
);
428 s
->read_packet
->destination
.in
= s
->local
.in
.sin_addr
;
429 s
->read_packet
->destination_port
= be16toh(s
->local
.in
.sin_port
);
431 assert(s
->read_packet
->family
== AF_INET6
);
432 s
->read_packet
->sender
.in6
= s
->peer
.in6
.sin6_addr
;
433 s
->read_packet
->sender_port
= be16toh(s
->peer
.in6
.sin6_port
);
434 s
->read_packet
->destination
.in6
= s
->local
.in6
.sin6_addr
;
435 s
->read_packet
->destination_port
= be16toh(s
->local
.in6
.sin6_port
);
437 if (s
->read_packet
->ifindex
== 0)
438 s
->read_packet
->ifindex
= s
->peer
.in6
.sin6_scope_id
;
439 if (s
->read_packet
->ifindex
== 0)
440 s
->read_packet
->ifindex
= s
->local
.in6
.sin6_scope_id
;
444 ss
= dns_stream_read(s
,
445 (uint8_t*) DNS_PACKET_DATA(s
->read_packet
) + s
->n_read
- sizeof(s
->read_size
),
446 sizeof(s
->read_size
) + be16toh(s
->read_size
) - s
->n_read
);
448 if (!IN_SET(errno
, EINTR
, EAGAIN
))
449 return dns_stream_complete(s
, errno
);
451 return dns_stream_complete(s
, ECONNRESET
);
456 /* Are we done? If so, disable the event source for EPOLLIN */
457 if (s
->n_read
>= sizeof(s
->read_size
) + be16toh(s
->read_size
)) {
458 /* If there's a packet handler
459 * installed, call that. Note that
460 * this is optional... */
467 r
= dns_stream_update_io(s
);
469 return dns_stream_complete(s
, -r
);
474 if ((s
->write_packet
&& s
->n_written
>= sizeof(s
->write_size
) + s
->write_packet
->size
) &&
475 (s
->read_packet
&& s
->n_read
>= sizeof(s
->read_size
) + s
->read_packet
->size
))
476 return dns_stream_complete(s
, 0);
481 DnsStream
*dns_stream_unref(DnsStream
*s
) {
488 assert(s
->n_ref
> 0);
496 if (s
->server
&& s
->server
->stream
== s
)
497 s
->server
->stream
= NULL
;
500 LIST_REMOVE(streams
, s
->manager
->dns_streams
, s
);
501 s
->manager
->n_dns_streams
--;
506 gnutls_deinit(s
->tls_session
);
509 ORDERED_SET_FOREACH(p
, s
->write_queue
, i
)
510 dns_packet_unref(ordered_set_remove(s
->write_queue
, p
));
512 dns_packet_unref(s
->write_packet
);
513 dns_packet_unref(s
->read_packet
);
514 dns_server_unref(s
->server
);
516 ordered_set_free(s
->write_queue
);
521 DnsStream
*dns_stream_ref(DnsStream
*s
) {
525 assert(s
->n_ref
> 0);
531 int dns_stream_new(Manager
*m
, DnsStream
**ret
, DnsProtocol protocol
, int fd
, const union sockaddr_union
*tfo_address
) {
532 _cleanup_(dns_stream_unrefp
) DnsStream
*s
= NULL
;
538 if (m
->n_dns_streams
> DNS_STREAMS_MAX
)
541 s
= new0(DnsStream
, 1);
545 r
= ordered_set_ensure_allocated(&s
->write_queue
, &dns_packet_hash_ops
);
551 s
->protocol
= protocol
;
553 r
= sd_event_add_io(m
->event
, &s
->io_event_source
, fd
, EPOLLIN
, on_stream_io
, s
);
557 (void) sd_event_source_set_description(s
->io_event_source
, "dns-stream-io");
559 r
= sd_event_add_time(
561 &s
->timeout_event_source
,
562 clock_boottime_or_monotonic(),
563 now(clock_boottime_or_monotonic()) + DNS_STREAM_TIMEOUT_USEC
, 0,
564 on_stream_timeout
, s
);
568 (void) sd_event_source_set_description(s
->timeout_event_source
, "dns-stream-timeout");
570 LIST_PREPEND(streams
, m
->dns_streams
, s
);
574 s
->tfo_address
= *tfo_address
;
575 s
->tfo_salen
= tfo_address
->sa
.sa_family
== AF_INET6
? sizeof(tfo_address
->in6
) : sizeof(tfo_address
->in
);
586 int dns_stream_connect_tls(DnsStream
*s
, gnutls_session_t tls_session
) {
587 gnutls_transport_set_ptr2(tls_session
, (gnutls_transport_ptr_t
) (long) s
->fd
, s
);
588 gnutls_transport_set_vec_push_function(tls_session
, &dns_stream_tls_writev
);
591 s
->tls_session
= tls_session
;
592 s
->tls_handshake
= gnutls_handshake(tls_session
);
593 if (s
->tls_handshake
< 0 && gnutls_error_is_fatal(s
->tls_handshake
))
594 return -ECONNREFUSED
;
600 int dns_stream_write_packet(DnsStream
*s
, DnsPacket
*p
) {
605 r
= ordered_set_put(s
->write_queue
, p
);
611 return dns_stream_update_io(s
);