[thirdparty/systemd.git] / src / resolve / resolved-dns-stream.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <netinet/tcp.h>
#include <unistd.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "io-util.h"
#include "macro.h"
#include "missing_network.h"
#include "resolved-dns-stream.h"
#include "resolved-manager.h"

#define DNS_STREAMS_MAX 128

#define DNS_QUERIES_PER_STREAM 32

static void dns_stream_stop(DnsStream *s) {
        assert(s);

        s->io_event_source = sd_event_source_disable_unref(s->io_event_source);
        s->timeout_event_source = sd_event_source_disable_unref(s->timeout_event_source);
        s->fd = safe_close(s->fd);

        /* Disconnect us from the server object if we are now not usable anymore */
        dns_stream_detach(s);
}

static int dns_stream_update_io(DnsStream *s) {
        int f = 0;

        assert(s);

        if (s->write_packet && s->n_written < sizeof(s->write_size) + s->write_packet->size)
                f |= EPOLLOUT;
        else if (!ordered_set_isempty(s->write_queue)) {
                dns_packet_unref(s->write_packet);
                s->write_packet = ordered_set_steal_first(s->write_queue);
                s->write_size = htobe16(s->write_packet->size);
                s->n_written = 0;
                f |= EPOLLOUT;
        }

        /* Let's read a packet if we haven't queued any yet. Except if we already hit a limit of parallel
         * queries for this connection. */
        if ((!s->read_packet || s->n_read < sizeof(s->read_size) + s->read_packet->size) &&
                set_size(s->queries) < DNS_QUERIES_PER_STREAM)
                f |= EPOLLIN;

#if ENABLE_DNS_OVER_TLS
        /* For handshake and clean closing purposes, TLS can override requested events */
        if (s->dnstls_events != 0)
                f = s->dnstls_events;
#endif

        return sd_event_source_set_io_events(s->io_event_source, f);
}

static int dns_stream_complete(DnsStream *s, int error) {
        _cleanup_(dns_stream_unrefp) _unused_ DnsStream *ref = dns_stream_ref(s); /* Protect stream while we process it */

        assert(s);
        assert(error >= 0);

        /* Error is > 0 when the connection failed for some reason in the network stack. It's == 0 if we sent
         * and received exactly one packet each (in the LLMNR client case). */

#if ENABLE_DNS_OVER_TLS
        if (s->encrypted) {
                int r;

                r = dnstls_stream_shutdown(s, error);
                if (r != -EAGAIN)
                        dns_stream_stop(s);
        } else
#endif
                dns_stream_stop(s);

        dns_stream_detach(s);

        if (s->complete)
                s->complete(s, error);
        else /* the default action if no completion function is set is to close the stream */
                dns_stream_unref(s);

        return 0;
}

static int dns_stream_identify(DnsStream *s) {
        CMSG_BUFFER_TYPE(CMSG_SPACE(MAXSIZE(struct in_pktinfo, struct in6_pktinfo))
                         + CMSG_SPACE(int) + /* for the TTL */
                         + EXTRA_CMSG_SPACE /* kernel appears to require extra space */) control;
        struct msghdr mh = {};
        struct cmsghdr *cmsg;
        socklen_t sl;
        int r;

        assert(s);

        if (s->identified)
                return 0;

        /* Query the local side */
        s->local_salen = sizeof(s->local);
        r = getsockname(s->fd, &s->local.sa, &s->local_salen);
        if (r < 0)
                return -errno;
        if (s->local.sa.sa_family == AF_INET6 && s->ifindex <= 0)
                s->ifindex = s->local.in6.sin6_scope_id;

        /* Query the remote side */
        s->peer_salen = sizeof(s->peer);
        r = getpeername(s->fd, &s->peer.sa, &s->peer_salen);
        if (r < 0)
                return -errno;
        if (s->peer.sa.sa_family == AF_INET6 && s->ifindex <= 0)
                s->ifindex = s->peer.in6.sin6_scope_id;

        /* Check consistency */
        assert(s->peer.sa.sa_family == s->local.sa.sa_family);
        assert(IN_SET(s->peer.sa.sa_family, AF_INET, AF_INET6));

        /* Query connection meta information */
        sl = sizeof(control);
        if (s->peer.sa.sa_family == AF_INET) {
                r = getsockopt(s->fd, IPPROTO_IP, IP_PKTOPTIONS, &control, &sl);
                if (r < 0)
                        return -errno;
        } else if (s->peer.sa.sa_family == AF_INET6) {

                r = getsockopt(s->fd, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, &control, &sl);
                if (r < 0)
                        return -errno;
        } else
                return -EAFNOSUPPORT;

        mh.msg_control = &control;
        mh.msg_controllen = sl;

        CMSG_FOREACH(cmsg, &mh) {

                if (cmsg->cmsg_level == IPPROTO_IPV6) {
                        assert(s->peer.sa.sa_family == AF_INET6);

                        switch (cmsg->cmsg_type) {

                        case IPV6_PKTINFO: {
                                struct in6_pktinfo *i = (struct in6_pktinfo*) CMSG_DATA(cmsg);

                                if (s->ifindex <= 0)
                                        s->ifindex = i->ipi6_ifindex;
                                break;
                        }

                        case IPV6_HOPLIMIT:
                                s->ttl = *(int *) CMSG_DATA(cmsg);
                                break;
                        }

                } else if (cmsg->cmsg_level == IPPROTO_IP) {
                        assert(s->peer.sa.sa_family == AF_INET);

                        switch (cmsg->cmsg_type) {

                        case IP_PKTINFO: {
                                struct in_pktinfo *i = (struct in_pktinfo*) CMSG_DATA(cmsg);

                                if (s->ifindex <= 0)
                                        s->ifindex = i->ipi_ifindex;
                                break;
                        }

                        case IP_TTL:
                                s->ttl = *(int *) CMSG_DATA(cmsg);
                                break;
                        }
                }
        }

        /* The Linux kernel sets the interface index to the loopback
         * device if the connection came from the local host since it
         * avoids the routing table in such a case. Let's unset the
         * interface index in such a case. */
        if (s->ifindex == LOOPBACK_IFINDEX)
                s->ifindex = 0;

        /* If we don't know the interface index still, we look for the
         * first local interface with a matching address. Yuck! */
        if (s->ifindex <= 0)
                s->ifindex = manager_find_ifindex(s->manager, s->local.sa.sa_family, sockaddr_in_addr(&s->local.sa));

        if (s->protocol == DNS_PROTOCOL_LLMNR && s->ifindex > 0) {
                /* Make sure all packets for this connection are sent on the same interface */
                r = socket_set_unicast_if(s->fd, s->local.sa.sa_family, s->ifindex);
                if (r < 0)
                        log_debug_errno(errno, "Failed to invoke IP_UNICAST_IF/IPV6_UNICAST_IF: %m");
        }

        s->identified = true;

        return 0;
}

ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) {
        ssize_t m;

        assert(s);
        assert(iov);

#if ENABLE_DNS_OVER_TLS
        if (s->encrypted && !(flags & DNS_STREAM_WRITE_TLS_DATA)) {
                ssize_t ss;
                size_t i;

                m = 0;
                for (i = 0; i < iovcnt; i++) {
                        ss = dnstls_stream_write(s, iov[i].iov_base, iov[i].iov_len);
                        if (ss < 0)
                                return ss;

                        m += ss;
                        if (ss != (ssize_t) iov[i].iov_len)
                                continue;
                }
        } else
#endif
        if (s->tfo_salen > 0) {
                struct msghdr hdr = {
                        .msg_iov = (struct iovec*) iov,
                        .msg_iovlen = iovcnt,
                        .msg_name = &s->tfo_address.sa,
                        .msg_namelen = s->tfo_salen
                };

                m = sendmsg(s->fd, &hdr, MSG_FASTOPEN);
                if (m < 0) {
                        if (errno == EOPNOTSUPP) {
                                s->tfo_salen = 0;
                                if (connect(s->fd, &s->tfo_address.sa, s->tfo_salen) < 0)
                                        return -errno;

                                return -EAGAIN;
                        }
                        if (errno == EINPROGRESS)
                                return -EAGAIN;

                        return -errno;
                } else
                        s->tfo_salen = 0; /* connection is made */
        } else {
                m = writev(s->fd, iov, iovcnt);
                if (m < 0)
                        return -errno;
        }

        return m;
}

static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
        ssize_t ss;

#if ENABLE_DNS_OVER_TLS
        if (s->encrypted)
                ss = dnstls_stream_read(s, buf, count);
        else
#endif
        {
                ss = read(s->fd, buf, count);
                if (ss < 0)
                        return -errno;
        }

        return ss;
}

static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) {
        DnsStream *s = userdata;

        assert(s);

        return dns_stream_complete(s, ETIMEDOUT);
}

static DnsPacket *dns_stream_take_read_packet(DnsStream *s) {
        assert(s);

        /* Note, dns_stream_update() should be called after this is called. When this is called, the
         * stream may be already full and the EPOLLIN flag is dropped from the stream IO event source.
         * Even this makes a room to read in the stream, this does not call dns_stream_update(), hence
         * EPOLLIN flag is not set automatically. So, to read further packets from the stream,
         * dns_stream_update() must be called explicitly. Currently, this is only called from
         * on_stream_io_impl(), and there dns_stream_update() is called. */

        if (!s->read_packet)
                return NULL;

        if (s->n_read < sizeof(s->read_size))
                return NULL;

        if (s->n_read < sizeof(s->read_size) + be16toh(s->read_size))
                return NULL;

        s->n_read = 0;
        return TAKE_PTR(s->read_packet);
}

static int on_stream_io_impl(DnsStream *s, uint32_t revents) {
        bool progressed = false;
        int r;

        assert(s);

        /* This returns 1 when possible remaining stream exists, 0 on completed
           stream or recoverable error, and negative errno on failure. */

#if ENABLE_DNS_OVER_TLS
        if (s->encrypted) {
                r = dnstls_stream_on_io(s, revents);
                if (r == DNSTLS_STREAM_CLOSED)
                        return 0;
                if (r == -EAGAIN)
                        return dns_stream_update_io(s);
                if (r < 0)
                        return dns_stream_complete(s, -r);

                r = dns_stream_update_io(s);
                if (r < 0)
                        return r;
        }
#endif

        /* only identify after connecting */
        if (s->tfo_salen == 0) {
                r = dns_stream_identify(s);
                if (r < 0)
                        return dns_stream_complete(s, -r);
        }

        if ((revents & EPOLLOUT) &&
            s->write_packet &&
            s->n_written < sizeof(s->write_size) + s->write_packet->size) {

                struct iovec iov[] = {
                        IOVEC_MAKE(&s->write_size, sizeof(s->write_size)),
                        IOVEC_MAKE(DNS_PACKET_DATA(s->write_packet), s->write_packet->size),
                };

                IOVEC_INCREMENT(iov, ELEMENTSOF(iov), s->n_written);

                ssize_t ss = dns_stream_writev(s, iov, ELEMENTSOF(iov), 0);
                if (ss < 0) {
                        if (!ERRNO_IS_TRANSIENT(ss))
                                return dns_stream_complete(s, -ss);
                } else {
                        progressed = true;
                        s->n_written += ss;
                }

                /* Are we done? If so, disable the event source for EPOLLOUT */
                if (s->n_written >= sizeof(s->write_size) + s->write_packet->size) {
                        r = dns_stream_update_io(s);
                        if (r < 0)
                                return dns_stream_complete(s, -r);
                }
        }

        if ((revents & (EPOLLIN|EPOLLHUP|EPOLLRDHUP)) &&
            (!s->read_packet ||
             s->n_read < sizeof(s->read_size) + s->read_packet->size)) {

                if (s->n_read < sizeof(s->read_size)) {
                        ssize_t ss;

                        ss = dns_stream_read(s, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read);
                        if (ss < 0) {
                                if (!ERRNO_IS_TRANSIENT(ss))
                                        return dns_stream_complete(s, -ss);
                        } else if (ss == 0)
                                return dns_stream_complete(s, ECONNRESET);
                        else {
                                progressed = true;
                                s->n_read += ss;
                        }
                }

                if (s->n_read >= sizeof(s->read_size)) {

                        if (be16toh(s->read_size) < DNS_PACKET_HEADER_SIZE)
                                return dns_stream_complete(s, EBADMSG);

                        if (s->n_read < sizeof(s->read_size) + be16toh(s->read_size)) {
                                ssize_t ss;

                                if (!s->read_packet) {
                                        r = dns_packet_new(&s->read_packet, s->protocol, be16toh(s->read_size), DNS_PACKET_SIZE_MAX);
                                        if (r < 0)
                                                return dns_stream_complete(s, -r);

                                        s->read_packet->size = be16toh(s->read_size);
                                        s->read_packet->ipproto = IPPROTO_TCP;
                                        s->read_packet->family = s->peer.sa.sa_family;
                                        s->read_packet->ttl = s->ttl;
                                        s->read_packet->ifindex = s->ifindex;
                                        s->read_packet->timestamp = now(clock_boottime_or_monotonic());

                                        if (s->read_packet->family == AF_INET) {
                                                s->read_packet->sender.in = s->peer.in.sin_addr;
                                                s->read_packet->sender_port = be16toh(s->peer.in.sin_port);
                                                s->read_packet->destination.in = s->local.in.sin_addr;
                                                s->read_packet->destination_port = be16toh(s->local.in.sin_port);
                                        } else {
                                                assert(s->read_packet->family == AF_INET6);
                                                s->read_packet->sender.in6 = s->peer.in6.sin6_addr;
                                                s->read_packet->sender_port = be16toh(s->peer.in6.sin6_port);
                                                s->read_packet->destination.in6 = s->local.in6.sin6_addr;
                                                s->read_packet->destination_port = be16toh(s->local.in6.sin6_port);

                                                if (s->read_packet->ifindex == 0)
                                                        s->read_packet->ifindex = s->peer.in6.sin6_scope_id;
                                                if (s->read_packet->ifindex == 0)
                                                        s->read_packet->ifindex = s->local.in6.sin6_scope_id;
                                        }
                                }

                                ss = dns_stream_read(s,
                                          (uint8_t*) DNS_PACKET_DATA(s->read_packet) + s->n_read - sizeof(s->read_size),
                                          sizeof(s->read_size) + be16toh(s->read_size) - s->n_read);
                                if (ss < 0) {
                                        if (!ERRNO_IS_TRANSIENT(ss))
                                                return dns_stream_complete(s, -ss);
                                } else if (ss == 0)
                                        return dns_stream_complete(s, ECONNRESET);
                                else
                                        s->n_read += ss;
                        }

                        /* Are we done? If so, call the packet handler and re-enable EPOLLIN for the
                         * event source if necessary. */
                        _cleanup_(dns_packet_unrefp) DnsPacket *p = dns_stream_take_read_packet(s);
                        if (p) {
                                assert(s->on_packet);
                                r = s->on_packet(s, p);
                                if (r < 0)
                                        return r;

                                r = dns_stream_update_io(s);
                                if (r < 0)
                                        return dns_stream_complete(s, -r);

                                s->packet_received = true;
                        }
                }
        }

        if (s->type == DNS_STREAM_LLMNR_SEND && s->packet_received) {
                uint32_t events;

                /* Complete the stream if finished reading and writing one packet, and there's nothing
                 * else left to write. */

                r = sd_event_source_get_io_events(s->io_event_source, &events);
                if (r < 0)
                        return r;

                if (!FLAGS_SET(events, EPOLLOUT))
                        return dns_stream_complete(s, 0);
        }

        /* If we did something, let's restart the timeout event source */
        if (progressed && s->timeout_event_source) {
                r = sd_event_source_set_time_relative(s->timeout_event_source, DNS_STREAM_ESTABLISHED_TIMEOUT_USEC);
                if (r < 0)
                        log_warning_errno(errno, "Couldn't restart TCP connection timeout, ignoring: %m");
        }

        return 1;
}

static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *userdata) {
        _cleanup_(dns_stream_unrefp) DnsStream *s = dns_stream_ref(userdata); /* Protect stream while we process it */
        int r;

        assert(s);

        r = on_stream_io_impl(s, revents);
        if (r <= 0)
                return r;

#if ENABLE_DNS_OVER_TLS
        if (!s->encrypted)
                return 0;

        /* When using DNS-over-TLS, the underlying TLS library may read the entire TLS record
           and buffer it internally. If this happens, we will not receive further EPOLLIN events,
           and unless there's some unrelated activity on the socket, we will hang until time out.
           To avoid this, if there's buffered TLS data, generate a "fake" EPOLLIN event.
           This is hacky, but it makes this case transparent to the rest of the IO code. */
        while (dnstls_stream_has_buffered_data(s)) {
                uint32_t events;

                /* Make sure the stream still wants to process more data... */
                r = sd_event_source_get_io_events(s->io_event_source, &events);
                if (r < 0)
                        return r;
                if (!FLAGS_SET(events, EPOLLIN))
                        break;

                r = on_stream_io_impl(s, EPOLLIN);
                if (r <= 0)
                        return r;
        }
#endif

        return 0;
}

static DnsStream *dns_stream_free(DnsStream *s) {
        DnsPacket *p;

        assert(s);

        dns_stream_stop(s);

        if (s->manager) {
                LIST_REMOVE(streams, s->manager->dns_streams, s);
                s->manager->n_dns_streams[s->type]--;
        }

#if ENABLE_DNS_OVER_TLS
        if (s->encrypted)
                dnstls_stream_free(s);
#endif

        ORDERED_SET_FOREACH(p, s->write_queue)
                dns_packet_unref(ordered_set_remove(s->write_queue, p));

        dns_packet_unref(s->write_packet);
        dns_packet_unref(s->read_packet);
        dns_server_unref(s->server);

        ordered_set_free(s->write_queue);

        return mfree(s);
}

DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsStream, dns_stream, dns_stream_free);

int dns_stream_new(
                Manager *m,
                DnsStream **ret,
                DnsStreamType type,
                DnsProtocol protocol,
                int fd,
                const union sockaddr_union *tfo_address,
                int (on_packet)(DnsStream*, DnsPacket*),
                int (complete)(DnsStream*, int), /* optional */
                usec_t connect_timeout_usec) {

        _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
        int r;

        assert(m);
        assert(ret);
        assert(type >= 0);
        assert(type < _DNS_STREAM_TYPE_MAX);
        assert(protocol >= 0);
        assert(protocol < _DNS_PROTOCOL_MAX);
        assert(fd >= 0);
        assert(on_packet);

        if (m->n_dns_streams[type] > DNS_STREAMS_MAX)
                return -EBUSY;

        s = new(DnsStream, 1);
        if (!s)
                return -ENOMEM;

        *s = (DnsStream) {
                .n_ref = 1,
                .fd = -1,
                .protocol = protocol,
                .type = type,
        };

        r = ordered_set_ensure_allocated(&s->write_queue, &dns_packet_hash_ops);
        if (r < 0)
                return r;

        r = sd_event_add_io(m->event, &s->io_event_source, fd, EPOLLIN, on_stream_io, s);
        if (r < 0)
                return r;

        (void) sd_event_source_set_description(s->io_event_source, "dns-stream-io");

        r = sd_event_add_time_relative(
                        m->event,
                        &s->timeout_event_source,
                        clock_boottime_or_monotonic(),
                        connect_timeout_usec, 0,
                        on_stream_timeout, s);
        if (r < 0)
                return r;

        (void) sd_event_source_set_description(s->timeout_event_source, "dns-stream-timeout");

        LIST_PREPEND(streams, m->dns_streams, s);
        m->n_dns_streams[type]++;
        s->manager = m;

        s->fd = fd;
        s->on_packet = on_packet;
        s->complete = complete;

        if (tfo_address) {
                s->tfo_address = *tfo_address;
                s->tfo_salen = tfo_address->sa.sa_family == AF_INET6 ? sizeof(tfo_address->in6) : sizeof(tfo_address->in);
        }

        *ret = TAKE_PTR(s);

        return 0;
}

int dns_stream_write_packet(DnsStream *s, DnsPacket *p) {
        int r;

        assert(s);
        assert(p);

        r = ordered_set_put(s->write_queue, p);
        if (r < 0)
                return r;

        dns_packet_ref(p);

        return dns_stream_update_io(s);
}

void dns_stream_detach(DnsStream *s) {
        assert(s);

        if (!s->server)
                return;

        if (s->server->stream != s)
                return;

        dns_server_unref_stream(s->server);
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
623a4c97 LP	2
623a4c97 LP	3	#include <netinet/tcp.h>
f5947a5e	4	#include <unistd.h>
623a4c97	5
b5efdb8a	6	#include "alloc-util.h"
3ffd4af2	7	#include "fd-util.h"
afc5dbf3	8	#include "io-util.h"
2aaf6bb6	9	#include "macro.h"
f5947a5e	10	#include "missing_network.h"
623a4c97	11	#include "resolved-dns-stream.h"
be28f72d	12	#include "resolved-manager.h"
623a4c97	13
623a4c97 LP	14	#define DNS_STREAMS_MAX 128
623a4c97 LP	15
b412af57 LP	16	#define DNS_QUERIES_PER_STREAM 32
b412af57 LP	17
623a4c97 LP	18	static void dns_stream_stop(DnsStream *s) {
	19	assert(s);
	20
97935302 ZJS	21	s->io_event_source = sd_event_source_disable_unref(s->io_event_source);
97935302 ZJS	22	s->timeout_event_source = sd_event_source_disable_unref(s->timeout_event_source);
623a4c97	23	s->fd = safe_close(s->fd);
808089ae LP	24
	25	/* Disconnect us from the server object if we are now not usable anymore */
	26	dns_stream_detach(s);
623a4c97 LP	27	}
	28
	29	static int dns_stream_update_io(DnsStream *s) {
	30	int f = 0;
	31
	32	assert(s);
	33
	34	if (s->write_packet && s->n_written < sizeof(s->write_size) + s->write_packet->size)
	35	f \|= EPOLLOUT;
98767d75 IT	36	else if (!ordered_set_isempty(s->write_queue)) {
	37	dns_packet_unref(s->write_packet);
	38	s->write_packet = ordered_set_steal_first(s->write_queue);
	39	s->write_size = htobe16(s->write_packet->size);
	40	s->n_written = 0;
	41	f \|= EPOLLOUT;
	42	}
b412af57 LP	43
	44	/* Let's read a packet if we haven't queued any yet. Except if we already hit a limit of parallel
	45	* queries for this connection. */
	46	if ((!s->read_packet \|\| s->n_read < sizeof(s->read_size) + s->read_packet->size) &&
	47	set_size(s->queries) < DNS_QUERIES_PER_STREAM)
623a4c97 LP	48	f \|= EPOLLIN;
623a4c97 LP	49
ba6aaf57 IT	50	#if ENABLE_DNS_OVER_TLS
ba6aaf57 IT	51	/* For handshake and clean closing purposes, TLS can override requested events */
57bdb749	52	if (s->dnstls_events != 0)
ba6aaf57 IT	53	f = s->dnstls_events;
	54	#endif
	55
623a4c97 LP	56	return sd_event_source_set_io_events(s->io_event_source, f);
	57	}
	58
b914e211	59	static int dns_stream_complete(DnsStream *s, int error) {
d973d94d LP	60	_cleanup_(dns_stream_unrefp) _unused_ DnsStream ref = dns_stream_ref(s); / Protect stream while we process it */
d973d94d LP	61
623a4c97	62	assert(s);
f447d9e3 LP	63	assert(error >= 0);
	64
	65	/* Error is > 0 when the connection failed for some reason in the network stack. It's == 0 if we sent
5238e957	66	* and received exactly one packet each (in the LLMNR client case). */
623a4c97	67
56ddbf10	68	#if ENABLE_DNS_OVER_TLS
6016fcb0	69	if (s->encrypted) {
5d67a7ae IT	70	int r;
5d67a7ae IT	71
6016fcb0 IT	72	r = dnstls_stream_shutdown(s, error);
6016fcb0 IT	73	if (r != -EAGAIN)
5d67a7ae IT	74	dns_stream_stop(s);
	75	} else
	76	#endif
	77	dns_stream_stop(s);
623a4c97	78
7172e4ee LP	79	dns_stream_detach(s);
7172e4ee LP	80
623a4c97 LP	81	if (s->complete)
623a4c97 LP	82	s->complete(s, error);
b30bf55d LP	83	else /* the default action if no completion function is set is to close the stream */
b30bf55d LP	84	dns_stream_unref(s);
623a4c97 LP	85
	86	return 0;
	87	}
	88
b914e211	89	static int dns_stream_identify(DnsStream *s) {
fb29cdbe	90	CMSG_BUFFER_TYPE(CMSG_SPACE(MAXSIZE(struct in_pktinfo, struct in6_pktinfo))
08ab1861	91	+ CMSG_SPACE(int) + /* for the TTL */
fb29cdbe	92	+ EXTRA_CMSG_SPACE /* kernel appears to require extra space */) control;
b914e211 LP	93	struct msghdr mh = {};
	94	struct cmsghdr *cmsg;
	95	socklen_t sl;
	96	int r;
	97
	98	assert(s);
	99
	100	if (s->identified)
	101	return 0;
	102
	103	/* Query the local side */
	104	s->local_salen = sizeof(s->local);
	105	r = getsockname(s->fd, &s->local.sa, &s->local_salen);
	106	if (r < 0)
	107	return -errno;
	108	if (s->local.sa.sa_family == AF_INET6 && s->ifindex <= 0)
	109	s->ifindex = s->local.in6.sin6_scope_id;
	110
	111	/* Query the remote side */
	112	s->peer_salen = sizeof(s->peer);
	113	r = getpeername(s->fd, &s->peer.sa, &s->peer_salen);
	114	if (r < 0)
	115	return -errno;
	116	if (s->peer.sa.sa_family == AF_INET6 && s->ifindex <= 0)
	117	s->ifindex = s->peer.in6.sin6_scope_id;
	118
	119	/* Check consistency */
	120	assert(s->peer.sa.sa_family == s->local.sa.sa_family);
	121	assert(IN_SET(s->peer.sa.sa_family, AF_INET, AF_INET6));
	122
	123	/* Query connection meta information */
	124	sl = sizeof(control);
	125	if (s->peer.sa.sa_family == AF_INET) {
	126	r = getsockopt(s->fd, IPPROTO_IP, IP_PKTOPTIONS, &control, &sl);
	127	if (r < 0)
	128	return -errno;
	129	} else if (s->peer.sa.sa_family == AF_INET6) {
	130
	131	r = getsockopt(s->fd, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, &control, &sl);
	132	if (r < 0)
	133	return -errno;
	134	} else
	135	return -EAFNOSUPPORT;
	136
	137	mh.msg_control = &control;
	138	mh.msg_controllen = sl;
2a1288ff LP	139
2a1288ff LP	140	CMSG_FOREACH(cmsg, &mh) {
b914e211 LP	141
	142	if (cmsg->cmsg_level == IPPROTO_IPV6) {
	143	assert(s->peer.sa.sa_family == AF_INET6);
	144
	145	switch (cmsg->cmsg_type) {
	146
	147	case IPV6_PKTINFO: {
	148	struct in6_pktinfo i = (struct in6_pktinfo) CMSG_DATA(cmsg);
	149
	150	if (s->ifindex <= 0)
	151	s->ifindex = i->ipi6_ifindex;
	152	break;
	153	}
	154
	155	case IPV6_HOPLIMIT:
	156	s->ttl = (int ) CMSG_DATA(cmsg);
	157	break;
	158	}
	159
	160	} else if (cmsg->cmsg_level == IPPROTO_IP) {
	161	assert(s->peer.sa.sa_family == AF_INET);
	162
	163	switch (cmsg->cmsg_type) {
	164
	165	case IP_PKTINFO: {
	166	struct in_pktinfo i = (struct in_pktinfo) CMSG_DATA(cmsg);
	167
	168	if (s->ifindex <= 0)
	169	s->ifindex = i->ipi_ifindex;
	170	break;
	171	}
	172
	173	case IP_TTL:
	174	s->ttl = (int ) CMSG_DATA(cmsg);
	175	break;
	176	}
	177	}
	178	}
	179
	180	/* The Linux kernel sets the interface index to the loopback
	181	* device if the connection came from the local host since it
	182	* avoids the routing table in such a case. Let's unset the
	183	* interface index in such a case. */
a5f03596	184	if (s->ifindex == LOOPBACK_IFINDEX)
b914e211 LP	185	s->ifindex = 0;
	186
	187	/* If we don't know the interface index still, we look for the
	188	* first local interface with a matching address. Yuck! */
	189	if (s->ifindex <= 0)
b1dea5cf	190	s->ifindex = manager_find_ifindex(s->manager, s->local.sa.sa_family, sockaddr_in_addr(&s->local.sa));
b914e211 LP	191
b914e211 LP	192	if (s->protocol == DNS_PROTOCOL_LLMNR && s->ifindex > 0) {
b914e211	193	/* Make sure all packets for this connection are sent on the same interface */
5d0fe423 LP	194	r = socket_set_unicast_if(s->fd, s->local.sa.sa_family, s->ifindex);
	195	if (r < 0)
	196	log_debug_errno(errno, "Failed to invoke IP_UNICAST_IF/IPV6_UNICAST_IF: %m");
b914e211 LP	197	}
	198
	199	s->identified = true;
	200
	201	return 0;
	202	}
	203
6016fcb0	204	ssize_t dns_stream_writev(DnsStream s, const struct iovec iov, size_t iovcnt, int flags) {
e6dc5556	205	ssize_t m;
91ccab1e IT	206
	207	assert(s);
	208	assert(iov);
	209
56ddbf10	210	#if ENABLE_DNS_OVER_TLS
6016fcb0	211	if (s->encrypted && !(flags & DNS_STREAM_WRITE_TLS_DATA)) {
5d67a7ae IT	212	ssize_t ss;
	213	size_t i;
	214
e6dc5556	215	m = 0;
5d67a7ae	216	for (i = 0; i < iovcnt; i++) {
6016fcb0 IT	217	ss = dnstls_stream_write(s, iov[i].iov_base, iov[i].iov_len);
	218	if (ss < 0)
	219	return ss;
5d67a7ae	220
e6dc5556	221	m += ss;
5d67a7ae IT	222	if (ss != (ssize_t) iov[i].iov_len)
	223	continue;
	224	}
	225	} else
	226	#endif
91ccab1e IT	227	if (s->tfo_salen > 0) {
	228	struct msghdr hdr = {
	229	.msg_iov = (struct iovec*) iov,
	230	.msg_iovlen = iovcnt,
	231	.msg_name = &s->tfo_address.sa,
	232	.msg_namelen = s->tfo_salen
	233	};
	234
e6dc5556 LP	235	m = sendmsg(s->fd, &hdr, MSG_FASTOPEN);
e6dc5556 LP	236	if (m < 0) {
91ccab1e IT	237	if (errno == EOPNOTSUPP) {
91ccab1e IT	238	s->tfo_salen = 0;
e6dc5556	239	if (connect(s->fd, &s->tfo_address.sa, s->tfo_salen) < 0)
91ccab1e IT	240	return -errno;
91ccab1e IT	241
e6dc5556 LP	242	return -EAGAIN;
	243	}
	244	if (errno == EINPROGRESS)
	245	return -EAGAIN;
	246
	247	return -errno;
91ccab1e IT	248	} else
91ccab1e IT	249	s->tfo_salen = 0; /* connection is made */
f6c9c5f8	250	} else {
e6dc5556 LP	251	m = writev(s->fd, iov, iovcnt);
	252	if (m < 0)
	253	return -errno;
f6c9c5f8	254	}
91ccab1e	255
e6dc5556	256	return m;
91ccab1e IT	257	}
91ccab1e IT	258
5d67a7ae IT	259	static ssize_t dns_stream_read(DnsStream s, void buf, size_t count) {
	260	ssize_t ss;
	261
56ddbf10	262	#if ENABLE_DNS_OVER_TLS
6016fcb0 IT	263	if (s->encrypted)
	264	ss = dnstls_stream_read(s, buf, count);
	265	else
5d67a7ae	266	#endif
f6c9c5f8	267	{
5d67a7ae	268	ss = read(s->fd, buf, count);
f6c9c5f8	269	if (ss < 0)
94fdb4d9	270	return -errno;
f6c9c5f8	271	}
5d67a7ae IT	272
	273	return ss;
	274	}
	275
623a4c97 LP	276	static int on_stream_timeout(sd_event_source es, usec_t usec, void userdata) {
	277	DnsStream *s = userdata;
	278
	279	assert(s);
	280
b914e211	281	return dns_stream_complete(s, ETIMEDOUT);
623a4c97 LP	282	}
623a4c97 LP	283
624f907e YW	284	static DnsPacket dns_stream_take_read_packet(DnsStream s) {
	285	assert(s);
	286
4aa61298 YW	287	/* Note, dns_stream_update() should be called after this is called. When this is called, the
	288	* stream may be already full and the EPOLLIN flag is dropped from the stream IO event source.
	289	* Even this makes a room to read in the stream, this does not call dns_stream_update(), hence
	290	* EPOLLIN flag is not set automatically. So, to read further packets from the stream,
	291	* dns_stream_update() must be called explicitly. Currently, this is only called from
	292	* on_stream_io_impl(), and there dns_stream_update() is called. */
	293
624f907e YW	294	if (!s->read_packet)
	295	return NULL;
	296
	297	if (s->n_read < sizeof(s->read_size))
	298	return NULL;
	299
	300	if (s->n_read < sizeof(s->read_size) + be16toh(s->read_size))
	301	return NULL;
	302
	303	s->n_read = 0;
	304	return TAKE_PTR(s->read_packet);
	305	}
	306
2aaf6bb6	307	static int on_stream_io_impl(DnsStream *s, uint32_t revents) {
5971dffd	308	bool progressed = false;
623a4c97 LP	309	int r;
	310
	311	assert(s);
	312
2aaf6bb6 JB	313	/* This returns 1 when possible remaining stream exists, 0 on completed
	314	stream or recoverable error, and negative errno on failure. */
	315
56ddbf10	316	#if ENABLE_DNS_OVER_TLS
6016fcb0	317	if (s->encrypted) {
04c4d919	318	r = dnstls_stream_on_io(s, revents);
ba6aaf57	319	if (r == DNSTLS_STREAM_CLOSED)
6016fcb0	320	return 0;
b2cf6704	321	if (r == -EAGAIN)
ba6aaf57	322	return dns_stream_update_io(s);
b2cf6704	323	if (r < 0)
6016fcb0	324	return dns_stream_complete(s, -r);
b2cf6704 LP	325
	326	r = dns_stream_update_io(s);
	327	if (r < 0)
	328	return r;
5d67a7ae IT	329	}
	330	#endif
	331
91ccab1e IT	332	/* only identify after connecting */
	333	if (s->tfo_salen == 0) {
	334	r = dns_stream_identify(s);
	335	if (r < 0)
	336	return dns_stream_complete(s, -r);
	337	}
b914e211	338
623a4c97 LP	339	if ((revents & EPOLLOUT) &&
	340	s->write_packet &&
	341	s->n_written < sizeof(s->write_size) + s->write_packet->size) {
	342
cf1e6e62 ZJS	343	struct iovec iov[] = {
	344	IOVEC_MAKE(&s->write_size, sizeof(s->write_size)),
	345	IOVEC_MAKE(DNS_PACKET_DATA(s->write_packet), s->write_packet->size),
	346	};
623a4c97	347
cf1e6e62	348	IOVEC_INCREMENT(iov, ELEMENTSOF(iov), s->n_written);
623a4c97	349
cf1e6e62	350	ssize_t ss = dns_stream_writev(s, iov, ELEMENTSOF(iov), 0);
623a4c97	351	if (ss < 0) {
8add30a0	352	if (!ERRNO_IS_TRANSIENT(ss))
f6c9c5f8	353	return dns_stream_complete(s, -ss);
5971dffd LP	354	} else {
5971dffd LP	355	progressed = true;
623a4c97	356	s->n_written += ss;
5971dffd	357	}
623a4c97 LP	358
	359	/* Are we done? If so, disable the event source for EPOLLOUT */
	360	if (s->n_written >= sizeof(s->write_size) + s->write_packet->size) {
	361	r = dns_stream_update_io(s);
	362	if (r < 0)
b914e211	363	return dns_stream_complete(s, -r);
623a4c97 LP	364	}
	365	}
	366
	367	if ((revents & (EPOLLIN\|EPOLLHUP\|EPOLLRDHUP)) &&
	368	(!s->read_packet \|\|
	369	s->n_read < sizeof(s->read_size) + s->read_packet->size)) {
	370
	371	if (s->n_read < sizeof(s->read_size)) {
	372	ssize_t ss;
	373
5d67a7ae	374	ss = dns_stream_read(s, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read);
623a4c97	375	if (ss < 0) {
8add30a0	376	if (!ERRNO_IS_TRANSIENT(ss))
f6c9c5f8	377	return dns_stream_complete(s, -ss);
623a4c97	378	} else if (ss == 0)
b914e211	379	return dns_stream_complete(s, ECONNRESET);
5971dffd LP	380	else {
5971dffd LP	381	progressed = true;
623a4c97	382	s->n_read += ss;
5971dffd	383	}
623a4c97 LP	384	}
	385
	386	if (s->n_read >= sizeof(s->read_size)) {
	387
	388	if (be16toh(s->read_size) < DNS_PACKET_HEADER_SIZE)
b914e211	389	return dns_stream_complete(s, EBADMSG);
623a4c97 LP	390
	391	if (s->n_read < sizeof(s->read_size) + be16toh(s->read_size)) {
	392	ssize_t ss;
	393
	394	if (!s->read_packet) {
51027656	395	r = dns_packet_new(&s->read_packet, s->protocol, be16toh(s->read_size), DNS_PACKET_SIZE_MAX);
623a4c97	396	if (r < 0)
b914e211	397	return dns_stream_complete(s, -r);
623a4c97 LP	398
	399	s->read_packet->size = be16toh(s->read_size);
	400	s->read_packet->ipproto = IPPROTO_TCP;
	401	s->read_packet->family = s->peer.sa.sa_family;
	402	s->read_packet->ttl = s->ttl;
	403	s->read_packet->ifindex = s->ifindex;
5777c613	404	s->read_packet->timestamp = now(clock_boottime_or_monotonic());
623a4c97 LP	405
	406	if (s->read_packet->family == AF_INET) {
	407	s->read_packet->sender.in = s->peer.in.sin_addr;
	408	s->read_packet->sender_port = be16toh(s->peer.in.sin_port);
	409	s->read_packet->destination.in = s->local.in.sin_addr;
	410	s->read_packet->destination_port = be16toh(s->local.in.sin_port);
	411	} else {
	412	assert(s->read_packet->family == AF_INET6);
	413	s->read_packet->sender.in6 = s->peer.in6.sin6_addr;
	414	s->read_packet->sender_port = be16toh(s->peer.in6.sin6_port);
	415	s->read_packet->destination.in6 = s->local.in6.sin6_addr;
	416	s->read_packet->destination_port = be16toh(s->local.in6.sin6_port);
	417
	418	if (s->read_packet->ifindex == 0)
	419	s->read_packet->ifindex = s->peer.in6.sin6_scope_id;
	420	if (s->read_packet->ifindex == 0)
	421	s->read_packet->ifindex = s->local.in6.sin6_scope_id;
	422	}
	423	}
	424
5d67a7ae	425	ss = dns_stream_read(s,
623a4c97 LP	426	(uint8_t*) DNS_PACKET_DATA(s->read_packet) + s->n_read - sizeof(s->read_size),
	427	sizeof(s->read_size) + be16toh(s->read_size) - s->n_read);
	428	if (ss < 0) {
8add30a0	429	if (!ERRNO_IS_TRANSIENT(ss))
99521cab	430	return dns_stream_complete(s, -ss);
623a4c97	431	} else if (ss == 0)
b914e211	432	return dns_stream_complete(s, ECONNRESET);
623a4c97 LP	433	else
	434	s->n_read += ss;
	435	}
	436
18230451 YW	437	/* Are we done? If so, call the packet handler and re-enable EPOLLIN for the
18230451 YW	438	* event source if necessary. */
624f907e YW	439	_cleanup_(dns_packet_unrefp) DnsPacket *p = dns_stream_take_read_packet(s);
624f907e YW	440	if (p) {
18230451	441	assert(s->on_packet);
624f907e	442	r = s->on_packet(s, p);
18230451 YW	443	if (r < 0)
18230451 YW	444	return r;
98767d75 IT	445
	446	r = dns_stream_update_io(s);
	447	if (r < 0)
	448	return dns_stream_complete(s, -r);
a5e2a488 YW	449
a5e2a488 YW	450	s->packet_received = true;
623a4c97 LP	451	}
	452	}
	453	}
	454
a5e2a488 YW	455	if (s->type == DNS_STREAM_LLMNR_SEND && s->packet_received) {
	456	uint32_t events;
	457
	458	/* Complete the stream if finished reading and writing one packet, and there's nothing
	459	* else left to write. */
	460
	461	r = sd_event_source_get_io_events(s->io_event_source, &events);
	462	if (r < 0)
	463	return r;
	464
	465	if (!FLAGS_SET(events, EPOLLOUT))
	466	return dns_stream_complete(s, 0);
	467	}
623a4c97	468
5971dffd LP	469	/* If we did something, let's restart the timeout event source */
5971dffd LP	470	if (progressed && s->timeout_event_source) {
e1158539	471	r = sd_event_source_set_time_relative(s->timeout_event_source, DNS_STREAM_ESTABLISHED_TIMEOUT_USEC);
5971dffd LP	472	if (r < 0)
	473	log_warning_errno(errno, "Couldn't restart TCP connection timeout, ignoring: %m");
	474	}
	475
2aaf6bb6 JB	476	return 1;
	477	}
	478
	479	static int on_stream_io(sd_event_source es, int fd, uint32_t revents, void userdata) {
	480	_cleanup_(dns_stream_unrefp) DnsStream s = dns_stream_ref(userdata); / Protect stream while we process it */
	481	int r;
	482
	483	assert(s);
	484
	485	r = on_stream_io_impl(s, revents);
	486	if (r <= 0)
	487	return r;
	488
	489	#if ENABLE_DNS_OVER_TLS
	490	if (!s->encrypted)
	491	return 0;
	492
	493	/* When using DNS-over-TLS, the underlying TLS library may read the entire TLS record
	494	and buffer it internally. If this happens, we will not receive further EPOLLIN events,
	495	and unless there's some unrelated activity on the socket, we will hang until time out.
	496	To avoid this, if there's buffered TLS data, generate a "fake" EPOLLIN event.
	497	This is hacky, but it makes this case transparent to the rest of the IO code. */
	498	while (dnstls_stream_has_buffered_data(s)) {
	499	uint32_t events;
	500
	501	/* Make sure the stream still wants to process more data... */
	502	r = sd_event_source_get_io_events(s->io_event_source, &events);
	503	if (r < 0)
	504	return r;
	505	if (!FLAGS_SET(events, EPOLLIN))
	506	break;
	507
	508	r = on_stream_io_impl(s, EPOLLIN);
	509	if (r <= 0)
	510	return r;
	511	}
	512	#endif
	513
623a4c97 LP	514	return 0;
	515	}
	516
8301aa0b	517	static DnsStream dns_stream_free(DnsStream s) {
98767d75	518	DnsPacket *p;
98767d75	519
8301aa0b	520	assert(s);
b30bf55d	521
623a4c97 LP	522	dns_stream_stop(s);
	523
	524	if (s->manager) {
	525	LIST_REMOVE(streams, s->manager->dns_streams, s);
652ba568	526	s->manager->n_dns_streams[s->type]--;
623a4c97 LP	527	}
623a4c97 LP	528
56ddbf10	529	#if ENABLE_DNS_OVER_TLS
6016fcb0 IT	530	if (s->encrypted)
6016fcb0 IT	531	dnstls_stream_free(s);
5d67a7ae IT	532	#endif
5d67a7ae IT	533
90e74a66	534	ORDERED_SET_FOREACH(p, s->write_queue)
98767d75 IT	535	dns_packet_unref(ordered_set_remove(s->write_queue, p));
98767d75 IT	536
623a4c97 LP	537	dns_packet_unref(s->write_packet);
623a4c97 LP	538	dns_packet_unref(s->read_packet);
98767d75 IT	539	dns_server_unref(s->server);
	540
	541	ordered_set_free(s->write_queue);
623a4c97	542
6b430fdb	543	return mfree(s);
623a4c97 LP	544	}
623a4c97 LP	545
8301aa0b	546	DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsStream, dns_stream, dns_stream_free);
623a4c97	547
b27a32a0 LP	548	int dns_stream_new(
	549	Manager *m,
	550	DnsStream **ret,
652ba568	551	DnsStreamType type,
b27a32a0 LP	552	DnsProtocol protocol,
b27a32a0 LP	553	int fd,
e1158539	554	const union sockaddr_union *tfo_address,
624f907e	555	int (on_packet)(DnsStream, DnsPacket),
18230451	556	int (complete)(DnsStream, int), / optional */
e1158539	557	usec_t connect_timeout_usec) {
b27a32a0	558
b30bf55d	559	_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
623a4c97 LP	560	int r;
	561
	562	assert(m);
499aa1d3	563	assert(ret);
652ba568 LP	564	assert(type >= 0);
	565	assert(type < _DNS_STREAM_TYPE_MAX);
	566	assert(protocol >= 0);
	567	assert(protocol < _DNS_PROTOCOL_MAX);
623a4c97	568	assert(fd >= 0);
18230451	569	assert(on_packet);
623a4c97	570
652ba568	571	if (m->n_dns_streams[type] > DNS_STREAMS_MAX)
623a4c97 LP	572	return -EBUSY;
623a4c97 LP	573
898892e8	574	s = new(DnsStream, 1);
623a4c97 LP	575	if (!s)
	576	return -ENOMEM;
	577
898892e8 LP	578	*s = (DnsStream) {
	579	.n_ref = 1,
	580	.fd = -1,
	581	.protocol = protocol,
1c089741	582	.type = type,
898892e8 LP	583	};
898892e8 LP	584
98767d75 IT	585	r = ordered_set_ensure_allocated(&s->write_queue, &dns_packet_hash_ops);
	586	if (r < 0)
	587	return r;
	588
623a4c97 LP	589	r = sd_event_add_io(m->event, &s->io_event_source, fd, EPOLLIN, on_stream_io, s);
	590	if (r < 0)
	591	return r;
	592
aa4a9deb LP	593	(void) sd_event_source_set_description(s->io_event_source, "dns-stream-io");
aa4a9deb LP	594
39cf0351	595	r = sd_event_add_time_relative(
9a015429 LP	596	m->event,
	597	&s->timeout_event_source,
	598	clock_boottime_or_monotonic(),
e1158539	599	connect_timeout_usec, 0,
9a015429	600	on_stream_timeout, s);
623a4c97 LP	601	if (r < 0)
	602	return r;
	603
aa4a9deb LP	604	(void) sd_event_source_set_description(s->timeout_event_source, "dns-stream-timeout");
aa4a9deb LP	605
623a4c97	606	LIST_PREPEND(streams, m->dns_streams, s);
652ba568	607	m->n_dns_streams[type]++;
623a4c97	608	s->manager = m;
08e254c8	609
623a4c97	610	s->fd = fd;
18230451 YW	611	s->on_packet = on_packet;
18230451 YW	612	s->complete = complete;
08e254c8	613
91ccab1e IT	614	if (tfo_address) {
	615	s->tfo_address = *tfo_address;
	616	s->tfo_salen = tfo_address->sa.sa_family == AF_INET6 ? sizeof(tfo_address->in6) : sizeof(tfo_address->in);
	617	}
	618
1cc6c93a	619	*ret = TAKE_PTR(s);
623a4c97 LP	620
	621	return 0;
	622	}
	623
	624	int dns_stream_write_packet(DnsStream s, DnsPacket p) {
98767d75 IT	625	int r;
98767d75 IT	626
623a4c97	627	assert(s);
499aa1d3	628	assert(p);
623a4c97	629
98767d75 IT	630	r = ordered_set_put(s->write_queue, p);
	631	if (r < 0)
	632	return r;
623a4c97	633
98767d75	634	dns_packet_ref(p);
623a4c97 LP	635
	636	return dns_stream_update_io(s);
	637	}
aa337a5e	638
808089ae LP	639	void dns_stream_detach(DnsStream *s) {
	640	assert(s);
	641
	642	if (!s->server)
	643	return;
	644
	645	if (s->server->stream != s)
	646	return;
	647
	648	dns_server_unref_stream(s->server);
	649	}