diff options
Diffstat (limited to 'src')
97 files changed, 5651 insertions, 2525 deletions
| diff --git a/src/basic/c-rbtree.c b/src/basic/c-rbtree.c new file mode 100644 index 0000000000..914d7e5229 --- /dev/null +++ b/src/basic/c-rbtree.c @@ -0,0 +1,679 @@ +/*** +  This file is part of systemd. See COPYING for details. + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +/* + * RB-Tree Implementation + * This implements the insertion/removal of elements in RB-Trees. You're highly + * recommended to have an RB-Tree documentation at hand when reading this. Both + * insertion and removal can be split into a handful of situations that can + * occur. Those situations are enumerated as "Case 1" to "Case n" here, and + * follow closely the cases described in most RB-Tree documentations. This file + * does not explain why it is enough to handle just those cases, nor does it + * provide a proof of correctness. Dig out your algorithm 101 handbook if + * you're interested. + * + * This implementation is *not* straightforward. Usually, a handful of + * rotation, reparent, swap and link helpers can be used to implement the + * rebalance operations. However, those often perform unnecessary writes. + * Therefore, this implementation hard-codes all the operations. You're highly + * recommended to look at the two basic helpers before reading the code: + *     c_rbtree_swap_child() + *     c_rbtree_set_parent_and_color() + * Those are the only helpers used, hence, you should really know what they do + * before digging into the code. + * + * For a highlevel documentation of the API, see the header file and docbook + * comments. + */ + +#include <assert.h> +#include <stddef.h> +#include "c-rbtree.h" + +enum { +        C_RBNODE_RED   = 0, +        C_RBNODE_BLACK = 1, +}; + +static inline unsigned long c_rbnode_color(CRBNode *n) { +        return (unsigned long)n->__parent_and_color & 1UL; +} + +static inline _Bool c_rbnode_is_red(CRBNode *n) { +        return c_rbnode_color(n) == C_RBNODE_RED; +} + +static inline _Bool c_rbnode_is_black(CRBNode *n) { +        return c_rbnode_color(n) == C_RBNODE_BLACK; +} + +/** + * c_rbnode_leftmost() - return leftmost child + * @n:          current node, or NULL + * + * This returns the leftmost child of @n. If @n is NULL, this will return NULL. + * In all other cases, this function returns a valid pointer. That is, if @n + * does not have any left children, this returns @n. + * + * Worst case runtime (n: number of elements in tree): O(log(n)) + * + * Return: Pointer to leftmost child, or NULL. + */ +CRBNode *c_rbnode_leftmost(CRBNode *n) { +        if (n) +                while (n->left) +                        n = n->left; +        return n; +} + +/** + * c_rbnode_rightmost() - return rightmost child + * @n:          current node, or NULL + * + * This returns the rightmost child of @n. If @n is NULL, this will return + * NULL. In all other cases, this function returns a valid pointer. That is, if + * @n does not have any right children, this returns @n. + * + * Worst case runtime (n: number of elements in tree): O(log(n)) + * + * Return: Pointer to rightmost child, or NULL. + */ +CRBNode *c_rbnode_rightmost(CRBNode *n) { +        if (n) +                while (n->right) +                        n = n->right; +        return n; +} + +/** + * c_rbnode_next() - return next node + * @n:          current node, or NULL + * + * An RB-Tree always defines a linear order of its elements. This function + * returns the logically next node to @n. If @n is NULL, the last node or + * unlinked, this returns NULL. + * + * Worst case runtime (n: number of elements in tree): O(log(n)) + * + * Return: Pointer to next node, or NULL. + */ +CRBNode *c_rbnode_next(CRBNode *n) { +        CRBNode *p; + +        if (!c_rbnode_is_linked(n)) +                return NULL; +        if (n->right) +                return c_rbnode_leftmost(n->right); + +        while ((p = c_rbnode_parent(n)) && n == p->right) +                n = p; + +        return p; +} + +/** + * c_rbnode_prev() - return previous node + * @n:          current node, or NULL + * + * An RB-Tree always defines a linear order of its elements. This function + * returns the logically previous node to @n. If @n is NULL, the first node or + * unlinked, this returns NULL. + * + * Worst case runtime (n: number of elements in tree): O(log(n)) + * + * Return: Pointer to previous node, or NULL. + */ +CRBNode *c_rbnode_prev(CRBNode *n) { +        CRBNode *p; + +        if (!c_rbnode_is_linked(n)) +                return NULL; +        if (n->left) +                return c_rbnode_rightmost(n->left); + +        while ((p = c_rbnode_parent(n)) && n == p->left) +                n = p; + +        return p; +} + +/** + * c_rbtree_first() - return first node + * @t:          tree to operate on + * + * An RB-Tree always defines a linear order of its elements. This function + * returns the logically first node in @t. If @t is empty, NULL is returned. + * + * Fixed runtime (n: number of elements in tree): O(log(n)) + * + * Return: Pointer to first node, or NULL. + */ +CRBNode *c_rbtree_first(CRBTree *t) { +        assert(t); +        return c_rbnode_leftmost(t->root); +} + +/** + * c_rbtree_last() - return last node + * @t:          tree to operate on + * + * An RB-Tree always defines a linear order of its elements. This function + * returns the logically last node in @t. If @t is empty, NULL is returned. + * + * Fixed runtime (n: number of elements in tree): O(log(n)) + * + * Return: Pointer to last node, or NULL. + */ +CRBNode *c_rbtree_last(CRBTree *t) { +        assert(t); +        return c_rbnode_rightmost(t->root); +} + +/* + * Set the color and parent of a node. This should be treated as a simple + * assignment of the 'color' and 'parent' fields of the node. No other magic is + * applied. But since both fields share its backing memory, this helper + * function is provided. + */ +static inline void c_rbnode_set_parent_and_color(CRBNode *n, CRBNode *p, unsigned long c) { +        assert(!((unsigned long)p & 1)); +        assert(c < 2); +        n->__parent_and_color = (CRBNode*)((unsigned long)p | c); +} + +/* same as c_rbnode_set_parent_and_color(), but keeps the current parent */ +static inline void c_rbnode_set_color(CRBNode *n, unsigned long c) { +        c_rbnode_set_parent_and_color(n, c_rbnode_parent(n), c); +} + +/* same as c_rbnode_set_parent_and_color(), but keeps the current color */ +static inline void c_rbnode_set_parent(CRBNode *n, CRBNode *p) { +        c_rbnode_set_parent_and_color(n, p, c_rbnode_color(n)); +} + +/* + * This function partially replaces an existing child pointer to a new one. The + * existing child must be given as @old, the new child as @new. @p must be the + * parent of @old (or NULL if it has no parent). + * This function ensures that the parent of @old now points to @new. However, + * it does *NOT* change the parent pointer of @new. The caller must ensure + * this. + * If @p is NULL, this function ensures that the root-pointer is adjusted + * instead (given as @t). + */ +static inline void c_rbtree_swap_child(CRBTree *t, CRBNode *p, CRBNode *old, CRBNode *new) { +        if (p) { +                if (p->left == old) +                        p->left = new; +                else +                        p->right = new; +        } else { +                t->root = new; +        } +} + +static inline CRBNode *c_rbtree_paint_one(CRBTree *t, CRBNode *n) { +        CRBNode *p, *g, *gg, *u, *x; + +        /* +         * Paint a single node according to RB-Tree rules. The node must +         * already be linked into the tree and painted red. +         * We repaint the node or rotate the tree, if required. In case a +         * recursive repaint is required, the next node to be re-painted +         * is returned. +         *      p: parent +         *      g: grandparent +         *      gg: grandgrandparent +         *      u: uncle +         *      x: temporary +         */ + +        /* node is red, so we can access the parent directly */ +        p = n->__parent_and_color; + +        if (!p) { +                /* Case 1: +                 * We reached the root. Mark it black and be done. As all +                 * leaf-paths share the root, the ratio of black nodes on each +                 * path stays the same. */ +                c_rbnode_set_parent_and_color(n, p, C_RBNODE_BLACK); +                n = NULL; +        } else if (c_rbnode_is_black(p)) { +                /* Case 2: +                 * The parent is already black. As our node is red, we did not +                 * change the number of black nodes on any path, nor do we have +                 * multiple consecutive red nodes. */ +                n = NULL; +        } else if (p == p->__parent_and_color->left) { /* parent is red, so grandparent exists */ +                g = p->__parent_and_color; +                gg = c_rbnode_parent(g); +                u = g->right; + +                if (u && c_rbnode_is_red(u)) { +                        /* Case 3: +                         * Parent and uncle are both red. We know the +                         * grandparent must be black then. Repaint parent and +                         * uncle black, the grandparent red and recurse into +                         * the grandparent. */ +                        c_rbnode_set_parent_and_color(p, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(u, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(g, gg, C_RBNODE_RED); +                        n = g; +                } else { +                        /* parent is red, uncle is black */ + +                        if (n == p->right) { +                                /* Case 4: +                                 * We're the right child. Rotate on parent to +                                 * become left child, so we can handle it the +                                 * same as case 5. */ +                                x = n->left; +                                p->right = n->left; +                                n->left = p; +                                if (x) +                                        c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK); +                                c_rbnode_set_parent_and_color(p, n, C_RBNODE_RED); +                                p = n; +                        } + +                        /* 'n' is invalid from here on! */ +                        n = NULL; + +                        /* Case 5: +                         * We're the red left child or a red parent, black +                         * grandparent and uncle. Rotate on grandparent and +                         * switch color with parent. Number of black nodes on +                         * each path stays the same, but we got rid of the +                         * double red path. As the grandparent is still black, +                         * we're done. */ +                        x = p->right; +                        g->left = x; +                        p->right = g; +                        if (x) +                                c_rbnode_set_parent_and_color(x, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(p, gg, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(g, p, C_RBNODE_RED); +                        c_rbtree_swap_child(t, gg, g, p); +                } +        } else /* if (p == p->__parent_and_color->left) */ { /* same as above, but mirrored */ +                g = p->__parent_and_color; +                gg = c_rbnode_parent(g); +                u = g->left; + +                if (u && c_rbnode_is_red(u)) { +                        c_rbnode_set_parent_and_color(p, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(u, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(g, gg, C_RBNODE_RED); +                        n = g; +                } else { +                        if (n == p->left) { +                                x = n->right; +                                p->left = n->right; +                                n->right = p; +                                if (x) +                                        c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK); +                                c_rbnode_set_parent_and_color(p, n, C_RBNODE_RED); +                                p = n; +                        } + +                        n = NULL; + +                        x = p->left; +                        g->right = x; +                        p->left = g; +                        if (x) +                                c_rbnode_set_parent_and_color(x, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(p, gg, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(g, p, C_RBNODE_RED); +                        c_rbtree_swap_child(t, gg, g, p); +                } +        } + +        return n; +} + +static inline void c_rbtree_paint(CRBTree *t, CRBNode *n) { +        assert(t); +        assert(n); + +        while (n) +                n = c_rbtree_paint_one(t, n); +} + +/** + * c_rbtree_add() - add node to tree + * @t:          tree to operate one + * @p:          parent node to link under, or NULL + * @l:          left/right slot of @p (or root) to link at + * @n:          node to add + * + * This links @n into the tree given as @t. The caller must provide the exact + * spot where to link the node. That is, the caller must traverse the tree + * based on their search order. Once they hit a leaf where to insert the node, + * call this function to link it and rebalance the tree. + * + * A typical insertion would look like this (@t is your tree, @n is your node): + * + *        CRBNode **i, *p; + * + *        i = &t->root; + *        p = NULL; + *        while (*i) { + *                p = *i; + *                if (compare(n, *i) < 0) + *                        i = &(*i)->left; + *                else + *                        i = &(*i)->right; + *        } + * + *        c_rbtree_add(t, p, i, n); + * + * Once the node is linked into the tree, a simple lookup on the same tree can + * be coded like this: + * + *        CRBNode *i; + * + *        i = t->root; + *        while (i) { + *                int v = compare(n, i); + *                if (v < 0) + *                        i = (*i)->left; + *                else if (v > 0) + *                        i = (*i)->right; + *                else + *                        break; + *        } + * + * When you add nodes to a tree, the memory contents of the node do not matter. + * That is, there is no need to initialize the node via c_rbnode_init(). + * However, if you relink nodes multiple times during their lifetime, it is + * usually very convenient to use c_rbnode_init() and c_rbtree_remove_init(). + * In those cases, you should validate that a node is unlinked before you call + * c_rbtree_add(). + */ +void c_rbtree_add(CRBTree *t, CRBNode *p, CRBNode **l, CRBNode *n) { +        assert(t); +        assert(l); +        assert(n); +        assert(!p || l == &p->left || l == &p->right); +        assert(p || l == &t->root); + +        c_rbnode_set_parent_and_color(n, p, C_RBNODE_RED); +        n->left = n->right = NULL; +        *l = n; + +        c_rbtree_paint(t, n); +} + +static inline CRBNode *c_rbtree_rebalance_one(CRBTree *t, CRBNode *p, CRBNode *n) { +        CRBNode *s, *x, *y, *g; + +        /* +         * Rebalance tree after a node was removed. This happens only if you +         * remove a black node and one path is now left with an unbalanced +         * number or black nodes. +         * This function assumes all paths through p and n have one black node +         * less than all other paths. If recursive fixup is required, the +         * current node is returned. +         */ + +        if (n == p->left) { +                s = p->right; +                if (c_rbnode_is_red(s)) { +                        /* Case 3: +                         * We have a red node as sibling. Rotate it onto our +                         * side so we can later on turn it black. This way, we +                         * gain the additional black node in our path. */ +                        g = c_rbnode_parent(p); +                        x = s->left; +                        p->right = x; +                        s->left = p; +                        c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(s, g, c_rbnode_color(p)); +                        c_rbnode_set_parent_and_color(p, s, C_RBNODE_RED); +                        c_rbtree_swap_child(t, g, p, s); +                        s = x; +                } + +                x = s->right; +                if (!x || c_rbnode_is_black(x)) { +                        y = s->left; +                        if (!y || c_rbnode_is_black(y)) { +                                /* Case 4: +                                 * Our sibling is black and has only black +                                 * children. Flip it red and turn parent black. +                                 * This way we gained a black node in our path, +                                 * or we fix it recursively one layer up, which +                                 * will rotate the red sibling as parent. */ +                                c_rbnode_set_parent_and_color(s, p, C_RBNODE_RED); +                                if (c_rbnode_is_black(p)) +                                        return p; + +                                c_rbnode_set_parent_and_color(p, c_rbnode_parent(p), C_RBNODE_BLACK); +                                return NULL; +                        } + +                        /* Case 5: +                         * Left child of our sibling is red, right one is black. +                         * Rotate on parent so the right child of our sibling is +                         * now red, and we can fall through to case 6. */ +                        x = y->right; +                        s->left = y->right; +                        y->right = s; +                        p->right = y; +                        if (x) +                                c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK); +                        x = s; +                        s = y; +                } + +                /* Case 6: +                 * The right child of our sibling is red. Rotate left and flip +                 * colors, which gains us an additional black node in our path, +                 * that was previously on our sibling. */ +                g = c_rbnode_parent(p); +                y = s->left; +                p->right = y; +                s->left = p; +                c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK); +                if (y) +                        c_rbnode_set_parent_and_color(y, p, c_rbnode_color(y)); +                c_rbnode_set_parent_and_color(s, g, c_rbnode_color(p)); +                c_rbnode_set_parent_and_color(p, s, C_RBNODE_BLACK); +                c_rbtree_swap_child(t, g, p, s); +        } else /* if (!n || n == p->right) */ { /* same as above, but mirrored */ +                s = p->left; +                if (c_rbnode_is_red(s)) { +                        g = c_rbnode_parent(p); +                        x = s->right; +                        p->left = x; +                        s->right = p; +                        c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(s, g, C_RBNODE_BLACK); +                        c_rbnode_set_parent_and_color(p, s, C_RBNODE_RED); +                        c_rbtree_swap_child(t, g, p, s); +                        s = x; +                } + +                x = s->left; +                if (!x || c_rbnode_is_black(x)) { +                        y = s->right; +                        if (!y || c_rbnode_is_black(y)) { +                                c_rbnode_set_parent_and_color(s, p, C_RBNODE_RED); +                                if (c_rbnode_is_black(p)) +                                        return p; + +                                c_rbnode_set_parent_and_color(p, c_rbnode_parent(p), C_RBNODE_BLACK); +                                return NULL; +                        } + +                        x = y->left; +                        s->right = y->left; +                        y->left = s; +                        p->left = y; +                        if (x) +                                c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK); +                        x = s; +                        s = y; +                } + +                g = c_rbnode_parent(p); +                y = s->right; +                p->left = y; +                s->right = p; +                c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK); +                if (y) +                        c_rbnode_set_parent_and_color(y, p, c_rbnode_color(y)); +                c_rbnode_set_parent_and_color(s, g, c_rbnode_color(p)); +                c_rbnode_set_parent_and_color(p, s, C_RBNODE_BLACK); +                c_rbtree_swap_child(t, g, p, s); +        } + +        return NULL; +} + +static inline void c_rbtree_rebalance(CRBTree *t, CRBNode *p) { +        CRBNode *n = NULL; + +        assert(t); +        assert(p); + +        do { +                n = c_rbtree_rebalance_one(t, p, n); +                p = n ? c_rbnode_parent(n) : NULL; +        } while (p); +} + +/** + * c_rbtree_remove() - remove node from tree + * @t:          tree to operate one + * @n:          node to remove + * + * This removes the given node from its tree. Once unlinked, the tree is + * rebalanced. + * The caller *must* ensure that the given tree is actually the tree it is + * linked on. Otherwise, behavior is undefined. + * + * This does *NOT* reset @n to being unlinked (for performance reason, this + * function *never* modifies @n at all). If you need this, use + * c_rbtree_remove_init(). + */ +void c_rbtree_remove(CRBTree *t, CRBNode *n) { +        CRBNode *p, *s, *gc, *x, *next = NULL; +        unsigned long c; + +        assert(t); +        assert(n); +        assert(c_rbnode_is_linked(n)); + +        /* +         * There are three distinct cases during node removal of a tree: +         *  * The node has no children, in which case it can simply be removed. +         *  * The node has exactly one child, in which case the child displaces +         *    its parent. +         *  * The node has two children, in which case there is guaranteed to +         *    be a successor to the node (successor being the node ordered +         *    directly after it). This successor cannot have two children by +         *    itself (two interior nodes can never be successive). Therefore, +         *    we can simply swap the node with its successor (including color) +         *    and have reduced this case to either of the first two. +         * +         * Whenever the node we removed was black, we have to rebalance the +         * tree. Note that this affects the actual node we _remove_, not @n (in +         * case we swap it). +         * +         *      p: parent +         *      s: successor +         *      gc: grand-...-child +         *      x: temporary +         *      next: next node to rebalance on +         */ + +        if (!n->left) { +                /* +                 * Case 1: +                 * The node has no left child. If it neither has a right child, +                 * it is a leaf-node and we can simply unlink it. If it also +                 * was black, we have to rebalance, as always if we remove a +                 * black node. +                 * But if the node has a right child, the child *must* be red +                 * (otherwise, the right path has more black nodes as the +                 * non-existing left path), and the node to be removed must +                 * hence be black. We simply replace the node with its child, +                 * turning the red child black, and thus no rebalancing is +                 * required. +                 */ +                p = c_rbnode_parent(n); +                c = c_rbnode_color(n); +                c_rbtree_swap_child(t, p, n, n->right); +                if (n->right) +                        c_rbnode_set_parent_and_color(n->right, p, c); +                else +                        next = (c == C_RBNODE_BLACK) ? p : NULL; +        } else if (!n->right) { +                /* +                 * Case 1.1: +                 * The node has exactly one child, and it is on the left. Treat +                 * it as mirrored case of Case 1 (i.e., replace the node by its +                 * child). +                 */ +                p = c_rbnode_parent(n); +                c = c_rbnode_color(n); +                c_rbtree_swap_child(t, p, n, n->left); +                c_rbnode_set_parent_and_color(n->left, p, c); +        } else { +                /* +                 * Case 2: +                 * We are dealing with a full interior node with a child not on +                 * both sides. Find its successor and swap it. Then remove the +                 * node similar to Case 1. For performance reasons we don't +                 * perform the full swap, but skip links that are about to be +                 * removed, anyway. +                 */ +                s = n->right; +                if (!s->left) { +                        /* right child is next, no need to touch grandchild */ +                        p = s; +                        gc = s->right; +                } else { +                        /* find successor and swap partially */ +                        s = c_rbnode_leftmost(s); +                        p = c_rbnode_parent(s); + +                        gc = s->right; +                        p->left = s->right; +                        s->right = n->right; +                        c_rbnode_set_parent(n->right, s); +                } + +                /* node is partially swapped, now remove as in Case 1 */ +                s->left = n->left; +                c_rbnode_set_parent(n->left, s); + +                x = c_rbnode_parent(n); +                c = c_rbnode_color(n); +                c_rbtree_swap_child(t, x, n, s); +                if (gc) +                        c_rbnode_set_parent_and_color(gc, p, C_RBNODE_BLACK); +                else +                        next = c_rbnode_is_black(s) ? p : NULL; +                c_rbnode_set_parent_and_color(s, x, c); +        } + +        if (next) +                c_rbtree_rebalance(t, next); +} diff --git a/src/basic/c-rbtree.h b/src/basic/c-rbtree.h new file mode 100644 index 0000000000..20c5515ca1 --- /dev/null +++ b/src/basic/c-rbtree.h @@ -0,0 +1,297 @@ +#pragma once + +/*** +  This file is part of systemd. See COPYING for details. + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +/* + * Standalone Red-Black-Tree Implementation in Standard ISO-C11 + * + * This header provides an RB-Tree API, that is fully implemented in ISO-C11 + * and has no external dependencies. Furthermore, tree traversal, memory + * allocations, and key comparisons a fully in control of the API user. The + * implementation only provides the RB-Tree specific rebalancing and coloring. + * + * A tree is represented by the "CRBTree" structure. It contains a *singly* + * field, which is a pointer to the root node. If NULL, the tree is empty. If + * non-NULL, there is at least a single element in the tree. + * + * Each node of the tree is represented by the "CRBNode" structure. It has + * three fields. The @left and @right members can be accessed by the API user + * directly to traverse the tree. The third member is an implementation detail + * and encodes the parent pointer and color of the node. + * API users are required to embed the CRBNode object into their own objects + * and then use offsetof() (i.e., container_of() and friends) to turn CRBNode + * pointers into pointers to their own structure. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct CRBNode CRBNode; +typedef struct CRBTree CRBTree; + +/** + * struct CRBNode - Node of a Red-Black Tree + * @__parent_and_color:         internal state + * @left:                       left child, or NULL + * @right:                      right child, or NULL + * + * Each node in an RB-Tree must embed an CRBNode object. This object contains + * pointers to its left and right child, which can be freely accessed by the + * API user at any time. They are NULL, if the node does not have a left/right + * child. + * + * The @__parent_and_color field must never be accessed directly. It encodes + * the pointer to the parent node, and the color of the node. Use the accessor + * functions instead. + * + * There is no reason to initialize a CRBNode object before linking it. + * However, if you need a boolean state that tells you whether the node is + * linked or not, you should initialize the node via c_rbnode_init() or + * C_RBNODE_INIT. + */ +struct CRBNode { +        CRBNode *__parent_and_color; +        CRBNode *left; +        CRBNode *right; +}; + +#define C_RBNODE_INIT(_var) { .__parent_and_color = &(_var) } + +CRBNode *c_rbnode_leftmost(CRBNode *n); +CRBNode *c_rbnode_rightmost(CRBNode *n); +CRBNode *c_rbnode_next(CRBNode *n); +CRBNode *c_rbnode_prev(CRBNode *n); + +/** + * struct CRBTree - Red-Black Tree + * @root:       pointer to the root node, or NULL + * + * Each Red-Black Tree is rooted in an CRBTree object. This object contains a + * pointer to the root node of the tree. The API user is free to access the + * @root member at any time, and use it to traverse the tree. + * + * To initialize an RB-Tree, set it to NULL / all zero. + */ +struct CRBTree { +        CRBNode *root; +}; + +CRBNode *c_rbtree_first(CRBTree *t); +CRBNode *c_rbtree_last(CRBTree *t); + +void c_rbtree_add(CRBTree *t, CRBNode *p, CRBNode **l, CRBNode *n); +void c_rbtree_remove(CRBTree *t, CRBNode *n); + +/** + * c_rbnode_init() - mark a node as unlinked + * @n:          node to operate on + * + * This marks the node @n as unlinked. The node will be set to a valid state + * that can never happen if the node is linked in a tree. Furthermore, this + * state is fully known to the implementation, and as such handled gracefully + * in all cases. + * + * You are *NOT* required to call this on your node. c_rbtree_add() can handle + * uninitialized nodes just fine. However, calling this allows to use + * c_rbnode_is_linked() to check for the state of a node. Furthermore, + * iterators and accessors can be called on initialized (yet unlinked) nodes. + * + * Use the C_RBNODE_INIT macro if you want to initialize static variables. + */ +static inline void c_rbnode_init(CRBNode *n) { +        *n = (CRBNode)C_RBNODE_INIT(*n); +} + +/** + * c_rbnode_is_linked() - check whether a node is linked + * @n:          node to check, or NULL + * + * This checks whether the passed node is linked. If you pass NULL, or if the + * node is not linked into a tree, this will return false. Otherwise, this + * returns true. + * + * Note that you must have either linked the node or initialized it, before + * calling this function. Never call this function on uninitialized nodes. + * Furthermore, removing a node via c_rbtree_remove() does *NOT* mark the node + * as unlinked. You have to call c_rbnode_init() yourself after removal, or use + * the c_rbtree_remove_init() helper. + * + * Return: true if the node is linked, false if not. + */ +static inline _Bool c_rbnode_is_linked(CRBNode *n) { +        return n && n->__parent_and_color != n; +} + +/** + * c_rbnode_parent() - return parent pointer + * @n           node to access + * + * This returns a pointer to the parent of the given node @n. If @n does not + * have a parent, NULL is returned. If @n is not linked, @n itself is returned. + * + * You should not call this on unlinked or uninitialized nodes! If you do, you + * better know how its semantics. + * + * Return: Pointer to parent. + */ +static inline CRBNode *c_rbnode_parent(CRBNode *n) { +        return (CRBNode*)((unsigned long)n->__parent_and_color & ~1UL); +} + +/** + * c_rbtree_remove_init() - safely remove node from tree and reinitialize it + * @t:          tree to operate on + * @n:          node to remove, or NULL + * + * This is almost the same as c_rbtree_remove(), but extends it slightly, to be + * more convenient to use in many cases: + *  - if @n is unlinked or NULL, this is a no-op + *  - @n is reinitialized after being removed + */ +static inline void c_rbtree_remove_init(CRBTree *t, CRBNode *n) { +        if (c_rbnode_is_linked(n)) { +                c_rbtree_remove(t, n); +                c_rbnode_init(n); +        } +} + +/** + * CRBCompareFunc - compare a node to a key + * @t:          tree where the node is linked to + * @k:          key to compare + * @n:          node to compare + * + * If you use the tree-traversal helpers (which are optional), you need to + * provide this callback so they can compare nodes in a tree to the key you + * look for. + * + * The tree @t is provided as optional context to this callback. The key you + * look for is provided as @k, the current node that should be compared to is + * provided as @n. This function should work like strcmp(), that is, return -1 + * if @key orders before @n, 0 if both compare equal, and 1 if it orders after + * @n. + */ +typedef int (*CRBCompareFunc) (CRBTree *t, void *k, CRBNode *n); + +/** + * c_rbtree_find_node() - find node + * @t:          tree to search through + * @f:          comparison function + * @k:          key to search for + * + * This searches through @t for a node that compares equal to @k. The function + * @f must be provided by the caller, which is used to compare nodes to @k. See + * the documentation of CRBCompareFunc for details. + * + * If there are multiple entries that compare equal to @k, this will return a + * pseudo-randomly picked node. If you need stable lookup functions for trees + * where duplicate entries are allowed, you better code your own lookup. + * + * Return: Pointer to matching node, or NULL. + */ +static inline CRBNode *c_rbtree_find_node(CRBTree *t, CRBCompareFunc f, const void *k) { +        CRBNode *i; + +        assert(t); +        assert(f); + +        i = t->root; +        while (i) { +                int v = f(t, (void *)k, i); +                if (v < 0) +                        i = i->left; +                else if (v > 0) +                        i = i->right; +                else +                        return i; +        } + +        return NULL; +} + +/** + * c_rbtree_find_entry() - find entry + * @_t:         tree to search through + * @_f:         comparison function + * @_k:         key to search for + * @_t:         type of the structure that embeds the nodes + * @_o:         name of the node-member in type @_t + * + * This is very similar to c_rbtree_find_node(), but instead of returning a + * pointer to the CRBNode, it returns a pointer to the surrounding object. This + * object must embed the CRBNode object. The type of the surrounding object + * must be given as @_t, and the name of the embedded CRBNode member as @_o. + * + * See c_rbtree_find_node() for more details. + * + * Return: Pointer to found entry, NULL if not found. + */ +#define c_rbtree_find_entry(_m, _f, _k, _t, _o) \ +        ((_t *)(((char *)c_rbtree_find_node((_m), (_f), (_k)) ?: \ +                (char *)NULL + offsetof(_t, _o)) - offsetof(_t, _o))) + +/** + * c_rbtree_find_slot() - find slot to insert new node + * @t:          tree to search through + * @f:          comparison function + * @k:          key to search for + * @p:          output storage for parent pointer + * + * This searches through @t just like c_rbtree_find_node() does. However, + * instead of returning a pointer to a node that compares equal to @k, this + * searches for a slot to insert a node with key @k. A pointer to the slot is + * returned, and a pointer to the parent of the slot is stored in @p. Both + * can be passed directly to c_rbtree_add(), together with your node to insert. + * + * If there already is a node in the tree, that compares equal to @k, this will + * return NULL and store the conflicting node in @p. In all other cases, + * this will return a pointer (non-NULL) to the empty slot to insert the node + * at. @p will point to the parent node of that slot. + * + * If you want trees that allow duplicate nodes, you better code your own + * insertion function. + * + * Return: Pointer to slot to insert node, or NULL on conflicts. + */ +static inline CRBNode **c_rbtree_find_slot(CRBTree *t, CRBCompareFunc f, const void *k, CRBNode **p) { +        CRBNode **i; + +        assert(t); +        assert(f); +        assert(p); + +        i = &t->root; +        *p = NULL; +        while (*i) { +                int v = f(t, (void *)k, *i); +                *p = *i; +                if (v < 0) +                        i = &(*i)->left; +                else if (v > 0) +                        i = &(*i)->right; +                else +                        return NULL; +        } + +        return i; +} + +#ifdef __cplusplus +} +#endif diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c index b3954e3223..286ddfef5b 100644 --- a/src/basic/hashmap.c +++ b/src/basic/hashmap.c @@ -37,6 +37,7 @@  #include "util.h"  #ifdef ENABLE_DEBUG_HASHMAP +#include <pthread.h>  #include "list.h"  #endif diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c index 79901a6a06..be144e157d 100644 --- a/src/basic/socket-util.c +++ b/src/basic/socket-util.c @@ -440,17 +440,10 @@ const char* socket_address_get_path(const SocketAddress *a) {  }  bool socket_ipv6_is_supported(void) { -        _cleanup_free_ char *l = NULL; - -        if (access("/sys/module/ipv6", F_OK) != 0) +        if (access("/proc/net/sockstat6", F_OK) != 0)                  return false; -        /* If we can't check "disable" parameter, assume enabled */ -        if (read_one_line_file("/sys/module/ipv6/parameters/disable", &l) < 0) -                return true; - -        /* If module was loaded with disable=1 no IPv6 available */ -        return l[0] == '0'; +        return true;  }  bool socket_address_matches_fd(const SocketAddress *a, int fd) { diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 093179c003..1f736b2686 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -632,21 +632,37 @@ const sd_bus_vtable bus_exec_vtable[] = {          SD_BUS_PROPERTY("PassEnvironment", "as", NULL, offsetof(ExecContext, pass_environment), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("UMask", "u", bus_property_get_mode, offsetof(ExecContext, umask), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitCPU", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitCPUSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitFSIZE", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_FSIZE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitFSIZESoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_FSIZE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitDATA", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_DATA]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitDATASoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_DATA]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitSTACK", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_STACK]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitSTACKSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_STACK]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitCORE", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_CORE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitCORESoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_CORE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitRSS", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_RSS]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitRSSSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_RSS]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitNOFILE", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_NOFILE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitNOFILESoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_NOFILE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitAS", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_AS]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitASSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_AS]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitNPROC", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_NPROC]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitNPROCSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_NPROC]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitMEMLOCK", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_MEMLOCK]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitMEMLOCKSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_MEMLOCK]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitLOCKS", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_LOCKS]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitLOCKSSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_LOCKS]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitSIGPENDING", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_SIGPENDING]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitSIGPENDINGSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_SIGPENDING]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitMSGQUEUE", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_MSGQUEUE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitMSGQUEUESoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_MSGQUEUE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitNICE", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_NICE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitNICESoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_NICE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitRTPRIO", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_RTPRIO]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitRTPRIOSoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_RTPRIO]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("LimitRTTIME", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_RTTIME]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("LimitRTTIMESoft", "t", bus_property_get_rlimit, offsetof(ExecContext, rlimit[RLIMIT_RTTIME]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("WorkingDirectory", "s", property_get_working_directory, 0, SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("RootDirectory", "s", NULL, offsetof(ExecContext, root_directory), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("OOMScoreAdjust", "i", property_get_oom_score_adjust, 0, SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 5457b2451b..8a523cc8ac 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -229,7 +229,10 @@ static int property_set_log_level(          if (r < 0)                  return r; -        return log_set_max_level_from_string(t); +        r = log_set_max_level_from_string(t); +        if (r == 0) +                log_info("Setting log level to %s.", t); +        return r;  }  static int property_get_n_names( @@ -1939,21 +1942,37 @@ const sd_bus_vtable bus_manager_vtable[] = {          SD_BUS_PROPERTY("DefaultMemoryAccounting", "b", bus_property_get_bool, offsetof(Manager, default_memory_accounting), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultTasksAccounting", "b", bus_property_get_bool, offsetof(Manager, default_tasks_accounting), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitCPU", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitCPUSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitFSIZE", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_FSIZE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitFSIZESoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_FSIZE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitDATA", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_DATA]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitDATASoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_DATA]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitSTACK", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_STACK]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitSTACKSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_STACK]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitCORE", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CORE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitCORESoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CORE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitRSS", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_RSS]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitRSSSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_RSS]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitNOFILE", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_NOFILE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitNOFILESoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_NOFILE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitAS", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_AS]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitASSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_AS]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitNPROC", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_NPROC]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitNPROCSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_NPROC]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitMEMLOCK", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_MEMLOCK]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitMEMLOCKSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_MEMLOCK]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitLOCKS", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_LOCKS]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitLOCKSSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_LOCKS]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitSIGPENDING", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_SIGPENDING]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitSIGPENDINGSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_SIGPENDING]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitMSGQUEUE", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_MSGQUEUE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitMSGQUEUESoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_MSGQUEUE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitNICE", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_NICE]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitNICESoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_NICE]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitRTPRIO", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_RTPRIO]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitRTPRIOSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_RTPRIO]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultLimitRTTIME", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_RTTIME]), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DefaultLimitRTTIMESoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_RTTIME]), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("DefaultTasksMax", "t", NULL, offsetof(Manager, default_tasks_max), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("TimerSlackNSec", "t", property_get_timer_slack_nsec, 0, SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/dbus.c b/src/core/dbus.c index e7ee216f0e..58069f59c3 100644 --- a/src/core/dbus.c +++ b/src/core/dbus.c @@ -736,7 +736,9 @@ static int bus_on_connection(sd_event_source *s, int fd, uint32_t revents, void  static int bus_list_names(Manager *m, sd_bus *bus) {          _cleanup_strv_free_ char **names = NULL; -        char **i; +        const char *name; +        Iterator i; +        Unit *u;          int r;          assert(m); @@ -746,15 +748,55 @@ static int bus_list_names(Manager *m, sd_bus *bus) {          if (r < 0)                  return log_error_errno(r, "Failed to get initial list of names: %m"); -        /* This is a bit hacky, we say the owner of the name is the -         * name itself, because we don't want the extra traffic to -         * figure out the real owner. */ -        STRV_FOREACH(i, names) { -                Unit *u; +        /* We have to synchronize the current bus names with the +         * list of active services. To do this, walk the list of +         * all units with bus names. */ +        HASHMAP_FOREACH_KEY(u, name, m->watch_bus, i) { +                Service *s = SERVICE(u); + +                assert(s); -                u = hashmap_get(m->watch_bus, *i); -                if (u) -                        UNIT_VTABLE(u)->bus_name_owner_change(u, *i, NULL, *i); +                if (!streq_ptr(s->bus_name, name)) { +                        log_unit_warning(u, "Bus name has changed from %s → %s, ignoring.", s->bus_name, name); +                        continue; +                } + +                /* Check if a service's bus name is in the list of currently +                 * active names */ +                if (strv_contains(names, name)) { +                        _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; +                        const char *unique; + +                        /* If it is, determine its current owner */ +                        r = sd_bus_get_name_creds(bus, name, SD_BUS_CREDS_UNIQUE_NAME, &creds); +                        if (r < 0) { +                                log_error_errno(r, "Failed to get bus name owner %s: %m", name); +                                continue; +                        } + +                        r = sd_bus_creds_get_unique_name(creds, &unique); +                        if (r < 0) { +                                log_error_errno(r, "Failed to get unique name for %s: %m", name); +                                continue; +                        } + +                        /* Now, let's compare that to the previous bus owner, and +                         * if it's still the same, all is fine, so just don't +                         * bother the service. Otherwise, the name has apparently +                         * changed, so synthesize a name owner changed signal. */ + +                        if (!streq_ptr(unique, s->bus_name_owner)) +                                UNIT_VTABLE(u)->bus_name_owner_change(u, name, s->bus_name_owner, unique); +                } else { +                        /* So, the name we're watching is not on the bus. +                         * This either means it simply hasn't appeared yet, +                         * or it was lost during the daemon reload. +                         * Check if the service has a stored name owner, +                         * and synthesize a name loss signal in this case. */ + +                        if (s->bus_name_owner) +                                UNIT_VTABLE(u)->bus_name_owner_change(u, name, s->bus_name_owner, NULL); +                }          }          return 0; @@ -808,7 +850,9 @@ static int bus_setup_api(Manager *m, sd_bus *bus) {          if (r < 0)                  return log_error_errno(r, "Failed to register name: %m"); -        bus_list_names(m, bus); +        r = bus_list_names(m, bus); +        if (r < 0) +                return r;          log_debug("Successfully connected to API bus.");          return 0; diff --git a/src/core/execute.c b/src/core/execute.c index 4f67a9de83..9b76861919 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2413,9 +2413,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {                          prefix, c->oom_score_adjust);          for (i = 0; i < RLIM_NLIMITS; i++) -                if (c->rlimit[i]) -                        fprintf(f, "%s%s: " RLIM_FMT " " RLIM_FMT "\n", -                                prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur, c->rlimit[i]->rlim_max); +                if (c->rlimit[i]) { +                        fprintf(f, "%s%s: " RLIM_FMT "\n", +                                prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max); +                        fprintf(f, "%s%sSoft: " RLIM_FMT "\n", +                                prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur); +                }          if (c->ioprio_set) {                  _cleanup_free_ char *class_str = NULL; diff --git a/src/core/manager.c b/src/core/manager.c index 34dd715e93..e65616adc1 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -1885,23 +1885,21 @@ static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t                          switch (sfsi.ssi_signo - SIGRTMIN) {                          case 20: -                                log_debug("Enabling showing of status.");                                  manager_set_show_status(m, SHOW_STATUS_YES);                                  break;                          case 21: -                                log_debug("Disabling showing of status.");                                  manager_set_show_status(m, SHOW_STATUS_NO);                                  break;                          case 22:                                  log_set_max_level(LOG_DEBUG); -                                log_notice("Setting log level to debug."); +                                log_info("Setting log level to debug.");                                  break;                          case 23:                                  log_set_max_level(LOG_INFO); -                                log_notice("Setting log level to info."); +                                log_info("Setting log level to info.");                                  break;                          case 24: @@ -2961,6 +2959,9 @@ void manager_set_show_status(Manager *m, ShowStatus mode) {          if (m->running_as != MANAGER_SYSTEM)                  return; +        if (m->show_status != mode) +                log_debug("%s showing of status.", +                          mode == SHOW_STATUS_NO ? "Disabling" : "Enabling");          m->show_status = mode;          if (mode > 0) diff --git a/src/core/service.c b/src/core/service.c index 41a729c421..c5b689a35c 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -323,6 +323,8 @@ static void service_done(Unit *u) {                  s->bus_name = mfree(s->bus_name);          } +        s->bus_name_owner = mfree(s->bus_name_owner); +          s->bus_endpoint_fd = safe_close(s->bus_endpoint_fd);          service_close_socket_fd(s);          service_connection_unref(s); @@ -2122,6 +2124,7 @@ static int service_serialize(Unit *u, FILE *f, FDSet *fds) {          unit_serialize_item(u, f, "main-pid-known", yes_no(s->main_pid_known));          unit_serialize_item(u, f, "bus-name-good", yes_no(s->bus_name_good)); +        unit_serialize_item(u, f, "bus-name-owner", s->bus_name_owner);          r = unit_serialize_item_escaped(u, f, "status-text", s->status_text);          if (r < 0) @@ -2249,6 +2252,10 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,                          log_unit_debug(u, "Failed to parse bus-name-good value: %s", value);                  else                          s->bus_name_good = b; +        } else if (streq(key, "bus-name-owner")) { +                r = free_and_strdup(&s->bus_name_owner, value); +                if (r < 0) +                        log_unit_error_errno(u, r, "Unable to deserialize current bus owner %s: %m", value);          } else if (streq(key, "status-text")) {                  char *t; @@ -3134,6 +3141,13 @@ static void service_bus_name_owner_change(          s->bus_name_good = !!new_owner; +        /* Track the current owner, so we can reconstruct changes after a daemon reload */ +        r = free_and_strdup(&s->bus_name_owner, new_owner); +        if (r < 0) { +                log_unit_error_errno(u, r, "Unable to set new bus name owner %s: %m", new_owner); +                return; +        } +          if (s->type == SERVICE_DBUS) {                  /* service_enter_running() will figure out what to diff --git a/src/core/service.h b/src/core/service.h index d0faad88e0..19efbccfc7 100644 --- a/src/core/service.h +++ b/src/core/service.h @@ -172,6 +172,7 @@ struct Service {          bool reset_cpu_usage:1;          char *bus_name; +        char *bus_name_owner; /* unique name of the current owner */          char *status_text;          int status_errno; diff --git a/src/core/socket.c b/src/core/socket.c index 7beec3644e..d6b0c963e8 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -156,14 +156,16 @@ static void socket_done(Unit *u) {          s->tcp_congestion = mfree(s->tcp_congestion);          s->bind_to_device = mfree(s->bind_to_device); -        free(s->smack); -        free(s->smack_ip_in); -        free(s->smack_ip_out); +        s->smack = mfree(s->smack); +        s->smack_ip_in = mfree(s->smack_ip_in); +        s->smack_ip_out = mfree(s->smack_ip_out);          strv_free(s->symlinks); -        free(s->user); -        free(s->group); +        s->user = mfree(s->user); +        s->group = mfree(s->group); + +        s->fdname = mfree(s->fdname);          s->timer_event_source = sd_event_source_unref(s->timer_event_source);  } diff --git a/src/core/transaction.c b/src/core/transaction.c index 15e79d00b3..2f163190e9 100644 --- a/src/core/transaction.c +++ b/src/core/transaction.c @@ -950,7 +950,7 @@ int transaction_add_job_and_dependencies(                                  r = transaction_add_job_and_dependencies(tr, JOB_START, dep, ret, false, false, false, ignore_order, e);                                  if (r < 0) {                                          log_unit_full(dep, -                                                      r == -EADDRNOTAVAIL ? LOG_DEBUG : LOG_WARNING, r, +                                                      r == -EBADR /* unit masked */ ? LOG_DEBUG : LOG_WARNING, r,                                                        "Cannot add dependency job, ignoring: %s",                                                        bus_error_message(e, r));                                          sd_bus_error_free(e); diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c index d383041d39..84605fa267 100644 --- a/src/hostname/hostnamed.c +++ b/src/hostname/hostnamed.c @@ -212,7 +212,7 @@ try_dmi:             unreliable enough, so let's not do any additional guesswork             on top of that. -           See the SMBIOS Specification 4.0 section 7.4.1 for +           See the SMBIOS Specification 3.0 section 7.4.1 for             details about the values listed here:             https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.0.0.pdf diff --git a/src/import/importd.c b/src/import/importd.c index 1f308b36b3..1b777c32b6 100644 --- a/src/import/importd.c +++ b/src/import/importd.c @@ -55,7 +55,6 @@ typedef enum TransferType {          TRANSFER_EXPORT_RAW,          TRANSFER_PULL_TAR,          TRANSFER_PULL_RAW, -        TRANSFER_PULL_DKR,          _TRANSFER_TYPE_MAX,          _TRANSFER_TYPE_INVALID = -1,  } TransferType; @@ -74,7 +73,6 @@ struct Transfer {          bool force_local;          bool read_only; -        char *dkr_index_url;          char *format;          pid_t pid; @@ -117,7 +115,6 @@ static const char* const transfer_type_table[_TRANSFER_TYPE_MAX] = {          [TRANSFER_EXPORT_RAW] = "export-raw",          [TRANSFER_PULL_TAR] = "pull-tar",          [TRANSFER_PULL_RAW] = "pull-raw", -        [TRANSFER_PULL_DKR] = "pull-dkr",  };  DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(transfer_type, TransferType); @@ -134,7 +131,6 @@ static Transfer *transfer_unref(Transfer *t) {          free(t->remote);          free(t->local); -        free(t->dkr_index_url);          free(t->format);          free(t->object_path); @@ -383,12 +379,11 @@ static int transfer_start(Transfer *t) {          if (t->pid == 0) {                  const char *cmd[] = {                          NULL, /* systemd-import, systemd-export or systemd-pull */ -                        NULL, /* tar, raw, dkr */ +                        NULL, /* tar, raw  */                          NULL, /* --verify= */                          NULL, /* verify argument */                          NULL, /* maybe --force */                          NULL, /* maybe --read-only */ -                        NULL, /* maybe --dkr-index-url */                          NULL, /* if so: the actual URL */                          NULL, /* maybe --format= */                          NULL, /* if so: the actual format */ @@ -471,10 +466,8 @@ static int transfer_start(Transfer *t) {                  if (IN_SET(t->type, TRANSFER_IMPORT_TAR, TRANSFER_EXPORT_TAR, TRANSFER_PULL_TAR))                          cmd[k++] = "tar"; -                else if (IN_SET(t->type, TRANSFER_IMPORT_RAW, TRANSFER_EXPORT_RAW, TRANSFER_PULL_RAW)) -                        cmd[k++] = "raw";                  else -                        cmd[k++] = "dkr"; +                        cmd[k++] = "raw";                  if (t->verify != _IMPORT_VERIFY_INVALID) {                          cmd[k++] = "--verify"; @@ -486,11 +479,6 @@ static int transfer_start(Transfer *t) {                  if (t->read_only)                          cmd[k++] = "--read-only"; -                if (t->dkr_index_url) { -                        cmd[k++] = "--dkr-index-url"; -                        cmd[k++] = t->dkr_index_url; -                } -                  if (t->format) {                          cmd[k++] = "--format";                          cmd[k++] = t->format; @@ -707,7 +695,7 @@ static int manager_new(Manager **ret) {          return 0;  } -static Transfer *manager_find(Manager *m, TransferType type, const char *dkr_index_url, const char *remote) { +static Transfer *manager_find(Manager *m, TransferType type, const char *remote) {          Transfer *t;          Iterator i; @@ -718,8 +706,7 @@ static Transfer *manager_find(Manager *m, TransferType type, const char *dkr_ind          HASHMAP_FOREACH(t, m->transfers, i) {                  if (t->type == type && -                    streq_ptr(t->remote, remote) && -                    streq_ptr(t->dkr_index_url, dkr_index_url)) +                    streq_ptr(t->remote, remote))                          return t;          } @@ -907,7 +894,7 @@ static int method_pull_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_er          type = streq_ptr(sd_bus_message_get_member(msg), "PullTar") ? TRANSFER_PULL_TAR : TRANSFER_PULL_RAW; -        if (manager_find(m, type, NULL, remote)) +        if (manager_find(m, type, remote))                  return sd_bus_error_setf(error, BUS_ERROR_TRANSFER_IN_PROGRESS, "Transfer for %s already in progress.", remote);          r = transfer_new(m, &t); @@ -939,105 +926,6 @@ static int method_pull_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_er          return sd_bus_reply_method_return(msg, "uo", id, object);  } -static int method_pull_dkr(sd_bus_message *msg, void *userdata, sd_bus_error *error) { -        _cleanup_(transfer_unrefp) Transfer *t = NULL; -        const char *index_url, *remote, *tag, *local, *verify, *object; -        Manager *m = userdata; -        ImportVerify v; -        int force, r; -        uint32_t id; - -        assert(msg); -        assert(m); - -        r = bus_verify_polkit_async( -                        msg, -                        CAP_SYS_ADMIN, -                        "org.freedesktop.import1.pull", -                        NULL, -                        false, -                        UID_INVALID, -                        &m->polkit_registry, -                        error); -        if (r < 0) -                return r; -        if (r == 0) -                return 1; /* Will call us back */ - -        r = sd_bus_message_read(msg, "sssssb", &index_url, &remote, &tag, &local, &verify, &force); -        if (r < 0) -                return r; - -        if (isempty(index_url)) -                index_url = DEFAULT_DKR_INDEX_URL; -        if (!index_url) -                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Index URL must be specified."); -        if (!http_url_is_valid(index_url)) -                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Index URL %s is invalid", index_url); - -        if (!dkr_name_is_valid(remote)) -                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Remote name %s is not valid", remote); - -        if (isempty(tag)) -                tag = "latest"; -        else if (!dkr_tag_is_valid(tag)) -                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Tag %s is not valid", tag); - -        if (isempty(local)) -                local = NULL; -        else if (!machine_name_is_valid(local)) -                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Local name %s is invalid", local); - -        if (isempty(verify)) -                v = IMPORT_VERIFY_SIGNATURE; -        else -                v = import_verify_from_string(verify); -        if (v < 0) -                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unknown verification mode %s", verify); - -        if (v != IMPORT_VERIFY_NO) -                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "DKR does not support verification."); - -        r = setup_machine_directory((uint64_t) -1, error); -        if (r < 0) -                return r; - -        if (manager_find(m, TRANSFER_PULL_DKR, index_url, remote)) -                return sd_bus_error_setf(error, BUS_ERROR_TRANSFER_IN_PROGRESS, "Transfer for %s already in progress.", remote); - -        r = transfer_new(m, &t); -        if (r < 0) -                return r; - -        t->type = TRANSFER_PULL_DKR; -        t->verify = v; -        t->force_local = force; - -        t->dkr_index_url = strdup(index_url); -        if (!t->dkr_index_url) -                return -ENOMEM; - -        t->remote = strjoin(remote, ":", tag, NULL); -        if (!t->remote) -                return -ENOMEM; - -        if (local) { -                t->local = strdup(local); -                if (!t->local) -                        return -ENOMEM; -        } - -        r = transfer_start(t); -        if (r < 0) -                return r; - -        object = t->object_path; -        id = t->id; -        t = NULL; - -        return sd_bus_reply_method_return(msg, "uo", id, object); -} -  static int method_list_transfers(sd_bus_message *msg, void *userdata, sd_bus_error *error) {          _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;          Manager *m = userdata; @@ -1188,7 +1076,6 @@ static const sd_bus_vtable manager_vtable[] = {          SD_BUS_METHOD("ExportRaw", "shs", "uo", method_export_tar_or_raw, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_METHOD("PullTar", "sssb", "uo", method_pull_tar_or_raw, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_METHOD("PullRaw", "sssb", "uo", method_pull_tar_or_raw, SD_BUS_VTABLE_UNPRIVILEGED), -        SD_BUS_METHOD("PullDkr", "sssssb", "uo", method_pull_dkr, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_METHOD("ListTransfers", NULL, "a(usssdo)", method_list_transfers, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_METHOD("CancelTransfer", "u", NULL, method_cancel_transfer, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_SIGNAL("TransferNew", "uo", 0), diff --git a/src/import/org.freedesktop.import1.conf b/src/import/org.freedesktop.import1.conf index ae36af422f..ed2539a03b 100644 --- a/src/import/org.freedesktop.import1.conf +++ b/src/import/org.freedesktop.import1.conf @@ -53,10 +53,6 @@                         send_member="PullRaw"/>                  <allow send_destination="org.freedesktop.import1" -                       send_interface="org.freedesktop.import1.Manager" -                       send_member="PullDkr"/> - -                <allow send_destination="org.freedesktop.import1"                         send_interface="org.freedesktop.import1.Transfer"                         send_member="Cancel"/> diff --git a/src/import/pull-dkr.c b/src/import/pull-dkr.c deleted file mode 100644 index 831470ff13..0000000000 --- a/src/import/pull-dkr.c +++ /dev/null @@ -1,1346 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -/*** -  This file is part of systemd. - -  Copyright 2014 Lennart Poettering - -  systemd is free software; you can redistribute it and/or modify it -  under the terms of the GNU Lesser General Public License as published by -  the Free Software Foundation; either version 2.1 of the License, or -  (at your option) any later version. - -  systemd is distributed in the hope that it will be useful, but -  WITHOUT ANY WARRANTY; without even the implied warranty of -  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -  Lesser General Public License for more details. - -  You should have received a copy of the GNU Lesser General Public License -  along with systemd; If not, see <http://www.gnu.org/licenses/>. -***/ - -#include <curl/curl.h> -#include <sys/prctl.h> - -#include "sd-daemon.h" - -#include "alloc-util.h" -#include "aufs-util.h" -#include "btrfs-util.h" -#include "curl-util.h" -#include "fd-util.h" -#include "fileio.h" -#include "fs-util.h" -#include "hostname-util.h" -#include "import-common.h" -#include "import-util.h" -#include "json.h" -#include "mkdir.h" -#include "path-util.h" -#include "process-util.h" -#include "pull-common.h" -#include "pull-dkr.h" -#include "pull-job.h" -#include "rm-rf.h" -#include "string-util.h" -#include "strv.h" -#include "utf8.h" -#include "web-util.h" - -typedef enum DkrProgress { -        DKR_SEARCHING, -        DKR_RESOLVING, -        DKR_METADATA, -        DKR_DOWNLOADING, -        DKR_COPYING, -} DkrProgress; - -struct DkrPull { -        sd_event *event; -        CurlGlue *glue; - -        char *index_protocol; -        char *index_address; - -        char *index_url; -        char *image_root; - -        PullJob *images_job; -        PullJob *tags_job; -        PullJob *ancestry_job; -        PullJob *json_job; -        PullJob *layer_job; - -        char *name; -        char *reference; -        char *id; - -        char *response_digest; -        char *response_token; -        char **response_registries; - -        char **ancestry; -        unsigned n_ancestry; -        unsigned current_ancestry; - -        DkrPullFinished on_finished; -        void *userdata; - -        char *local; -        bool force_local; -        bool grow_machine_directory; - -        char *temp_path; -        char *final_path; - -        pid_t tar_pid; -}; - -#define PROTOCOL_PREFIX "https://" - -#define HEADER_TOKEN "X-Do" /* the HTTP header for the auth token */ "cker-Token:" -#define HEADER_REGISTRY "X-Do" /* the HTTP header for the registry */ "cker-Endpoints:" -#define HEADER_DIGEST "Do" /* the HTTP header for the manifest digest */ "cker-Content-Digest:" -#define LAYERS_MAX 127 - -static void dkr_pull_job_on_finished(PullJob *j); - -DkrPull* dkr_pull_unref(DkrPull *i) { -        if (!i) -                return NULL; - -        if (i->tar_pid > 1) { -                (void) kill_and_sigcont(i->tar_pid, SIGKILL); -                (void) wait_for_terminate(i->tar_pid, NULL); -        } - -        pull_job_unref(i->images_job); -        pull_job_unref(i->tags_job); -        pull_job_unref(i->ancestry_job); -        pull_job_unref(i->json_job); -        pull_job_unref(i->layer_job); - -        curl_glue_unref(i->glue); -        sd_event_unref(i->event); - -        if (i->temp_path) { -                (void) rm_rf(i->temp_path, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME); -                free(i->temp_path); -        } - -        free(i->name); -        free(i->reference); -        free(i->id); -        free(i->response_token); -        strv_free(i->ancestry); -        free(i->final_path); -        free(i->index_address); -        free(i->index_protocol); -        free(i->index_url); -        free(i->image_root); -        free(i->local); -        free(i); - -        return NULL; -} - -int dkr_pull_new( -                DkrPull **ret, -                sd_event *event, -                const char *index_url, -                const char *image_root, -                DkrPullFinished on_finished, -                void *userdata) { - -        _cleanup_(dkr_pull_unrefp) DkrPull *i = NULL; -        char *e; -        int r; - -        assert(ret); -        assert(index_url); - -        if (!http_url_is_valid(index_url)) -                return -EINVAL; - -        i = new0(DkrPull, 1); -        if (!i) -                return -ENOMEM; - -        i->on_finished = on_finished; -        i->userdata = userdata; - -        i->image_root = strdup(image_root ?: "/var/lib/machines"); -        if (!i->image_root) -                return -ENOMEM; - -        i->grow_machine_directory = path_startswith(i->image_root, "/var/lib/machines"); - -        i->index_url = strdup(index_url); -        if (!i->index_url) -                return -ENOMEM; - -        e = endswith(i->index_url, "/"); -        if (e) -                *e = 0; - -        if (event) -                i->event = sd_event_ref(event); -        else { -                r = sd_event_default(&i->event); -                if (r < 0) -                        return r; -        } - -        r = curl_glue_new(&i->glue, i->event); -        if (r < 0) -                return r; - -        i->glue->on_finished = pull_job_curl_on_finished; -        i->glue->userdata = i; - -        *ret = i; -        i = NULL; - -        return 0; -} - -static void dkr_pull_report_progress(DkrPull *i, DkrProgress p) { -        unsigned percent; - -        assert(i); - -        switch (p) { - -        case DKR_SEARCHING: -                percent = 0; -                if (i->images_job) -                        percent += i->images_job->progress_percent * 5 / 100; -                break; - -        case DKR_RESOLVING: -                percent = 5; -                if (i->tags_job) -                        percent += i->tags_job->progress_percent * 5 / 100; -                break; - -        case DKR_METADATA: -                percent = 10; -                if (i->ancestry_job) -                        percent += i->ancestry_job->progress_percent * 5 / 100; -                if (i->json_job) -                        percent += i->json_job->progress_percent * 5 / 100; -                break; - -        case DKR_DOWNLOADING: -                percent = 20; -                percent += 75 * i->current_ancestry / MAX(1U, i->n_ancestry); -                if (i->layer_job) -                        percent += i->layer_job->progress_percent * 75 / MAX(1U, i->n_ancestry) / 100; - -                break; - -        case DKR_COPYING: -                percent = 95; -                break; - -        default: -                assert_not_reached("Unknown progress state"); -        } - -        sd_notifyf(false, "X_IMPORT_PROGRESS=%u", percent); -        log_debug("Combined progress %u%%", percent); -} - -static int parse_id(const void *payload, size_t size, char **ret) { -        _cleanup_free_ char *buf = NULL, *id = NULL, *other = NULL; -        union json_value v = {}; -        void *json_state = NULL; -        const char *p; -        int t; - -        assert(payload); -        assert(ret); - -        if (size <= 0) -                return -EBADMSG; - -        if (memchr(payload, 0, size)) -                return -EBADMSG; - -        buf = strndup(payload, size); -        if (!buf) -                return -ENOMEM; - -        p = buf; -        t = json_tokenize(&p, &id, &v, &json_state, NULL); -        if (t < 0) -                return t; -        if (t != JSON_STRING) -                return -EBADMSG; - -        t = json_tokenize(&p, &other, &v, &json_state, NULL); -        if (t < 0) -                return t; -        if (t != JSON_END) -                return -EBADMSG; - -        if (!dkr_id_is_valid(id)) -                return -EBADMSG; - -        *ret = id; -        id = NULL; - -        return 0; -} - -static int parse_ancestry(const void *payload, size_t size, char ***ret) { -        _cleanup_free_ char *buf = NULL; -        void *json_state = NULL; -        const char *p; -        enum { -                STATE_BEGIN, -                STATE_ITEM, -                STATE_COMMA, -                STATE_END, -        } state = STATE_BEGIN; -        _cleanup_strv_free_ char **l = NULL; -        size_t n = 0, allocated = 0; - -        if (size <= 0) -                return -EBADMSG; - -        if (memchr(payload, 0, size)) -                return -EBADMSG; - -        buf = strndup(payload, size); -        if (!buf) -                return -ENOMEM; - -        p = buf; -        for (;;) { -                _cleanup_free_ char *str; -                union json_value v = {}; -                int t; - -                t = json_tokenize(&p, &str, &v, &json_state, NULL); -                if (t < 0) -                        return t; - -                switch (state) { - -                case STATE_BEGIN: -                        if (t == JSON_ARRAY_OPEN) -                                state = STATE_ITEM; -                        else -                                return -EBADMSG; - -                        break; - -                case STATE_ITEM: -                        if (t == JSON_STRING) { -                                if (!dkr_id_is_valid(str)) -                                        return -EBADMSG; - -                                if (n+1 > LAYERS_MAX) -                                        return -EFBIG; - -                                if (!GREEDY_REALLOC(l, allocated, n + 2)) -                                        return -ENOMEM; - -                                l[n++] = str; -                                str = NULL; -                                l[n] = NULL; - -                                state = STATE_COMMA; - -                        } else if (t == JSON_ARRAY_CLOSE) -                                state = STATE_END; -                        else -                                return -EBADMSG; - -                        break; - -                case STATE_COMMA: -                        if (t == JSON_COMMA) -                                state = STATE_ITEM; -                        else if (t == JSON_ARRAY_CLOSE) -                                state = STATE_END; -                        else -                                return -EBADMSG; -                        break; - -                case STATE_END: -                        if (t == JSON_END) { - -                                if (strv_isempty(l)) -                                        return -EBADMSG; - -                                if (!strv_is_uniq(l)) -                                        return -EBADMSG; - -                                l = strv_reverse(l); - -                                *ret = l; -                                l = NULL; -                                return 0; -                        } else -                                return -EBADMSG; -                } - -        } -} - -static const char *dkr_pull_current_layer(DkrPull *i) { -        assert(i); - -        if (strv_isempty(i->ancestry)) -                return NULL; - -        return i->ancestry[i->current_ancestry]; -} - -static const char *dkr_pull_current_base_layer(DkrPull *i) { -        assert(i); - -        if (strv_isempty(i->ancestry)) -                return NULL; - -        if (i->current_ancestry <= 0) -                return NULL; - -        return i->ancestry[i->current_ancestry-1]; -} - -static int dkr_pull_add_token(DkrPull *i, PullJob *j) { -        const char *t; - -        assert(i); -        assert(j); - -        if (i->response_token) -                t = strjoina("Authorization: Token ", i->response_token); -        else -                t = HEADER_TOKEN " true"; - -        j->request_header = curl_slist_new("Accept: application/json", t, NULL); -        if (!j->request_header) -                return -ENOMEM; - -        return 0; -} - -static int dkr_pull_add_bearer_token(DkrPull *i, PullJob *j) { -        const char *t = NULL; - -        assert(i); -        assert(j); - -        if (i->response_token) -                t = strjoina("Authorization: Bearer ", i->response_token); -        else -                return -EINVAL; - -        j->request_header = curl_slist_new("Accept: application/json", t, NULL); -        if (!j->request_header) -                return -ENOMEM; - -        return 0; -} - -static bool dkr_pull_is_done(DkrPull *i) { -        assert(i); -        assert(i->images_job); -        if (i->images_job->state != PULL_JOB_DONE) -                return false; - -        if (!i->tags_job || i->tags_job->state != PULL_JOB_DONE) -                return false; - -        if (!i->ancestry_job || i->ancestry_job->state != PULL_JOB_DONE) -                return false; - -        if (i->json_job && i->json_job->state != PULL_JOB_DONE) -                return false; - -        if (i->layer_job && i->layer_job->state != PULL_JOB_DONE) -                return false; - -        if (dkr_pull_current_layer(i)) -                return false; - -        return true; -} - -static int dkr_pull_make_local_copy(DkrPull *i, DkrPullVersion version) { -        int r; -        _cleanup_free_ char *p = NULL; - -        assert(i); - -        if (!i->local) -                return 0; - -        if (!i->final_path) { -                i->final_path = strjoin(i->image_root, "/.dkr-", i->id, NULL); -                if (!i->final_path) -                        return -ENOMEM; -        } - -        if (version == DKR_PULL_V2) { -                p = dirname_malloc(i->image_root); -                if (!p) -                        return -ENOMEM; -        } - -        r = pull_make_local_copy(i->final_path, p ?: i->image_root, i->local, i->force_local); -        if (r < 0) -                return r; - -        if (version == DKR_PULL_V2) { -                char **k; - -                STRV_FOREACH(k, i->ancestry) { -                        _cleanup_free_ char *d; - -                        d = strjoin(i->image_root, "/.dkr-", *k, NULL); -                        if (!d) -                                return -ENOMEM; - -                        r = btrfs_subvol_remove(d, BTRFS_REMOVE_QUOTA); -                        if (r < 0) -                               return r; -                } - -                r = rmdir(i->image_root); -                if (r < 0) -                        return r; -        } - -        return 0; -} - -static int dkr_pull_job_on_open_disk(PullJob *j) { -        const char *base; -        DkrPull *i; -        int r; - -        assert(j); -        assert(j->userdata); - -        i = j->userdata; -        assert(i->layer_job == j); -        assert(i->final_path); -        assert(!i->temp_path); -        assert(i->tar_pid <= 0); - -        r = tempfn_random(i->final_path, NULL, &i->temp_path); -        if (r < 0) -                return log_oom(); - -        mkdir_parents_label(i->temp_path, 0700); - -        base = dkr_pull_current_base_layer(i); -        if (base) { -                const char *base_path; - -                base_path = strjoina(i->image_root, "/.dkr-", base); -                r = btrfs_subvol_snapshot(base_path, i->temp_path, BTRFS_SNAPSHOT_FALLBACK_COPY|BTRFS_SNAPSHOT_QUOTA); -        } else -                r = btrfs_subvol_make(i->temp_path); -        if (r < 0) -                return log_error_errno(r, "Failed to make btrfs subvolume %s: %m", i->temp_path); - -        (void) import_assign_pool_quota_and_warn(i->temp_path); - -        j->disk_fd = import_fork_tar_x(i->temp_path, &i->tar_pid); -        if (j->disk_fd < 0) -                return j->disk_fd; - -        return 0; -} - -static void dkr_pull_job_on_progress(PullJob *j) { -        DkrPull *i; - -        assert(j); -        assert(j->userdata); - -        i = j->userdata; - -        dkr_pull_report_progress( -                        i, -                        j == i->images_job                       ? DKR_SEARCHING : -                        j == i->tags_job                         ? DKR_RESOLVING : -                        j == i->ancestry_job || j == i->json_job ? DKR_METADATA : -                                                                   DKR_DOWNLOADING); -} - -static void dkr_pull_job_on_finished_v2(PullJob *j); - -static int dkr_pull_pull_layer_v2(DkrPull *i) { -        _cleanup_free_ char *path = NULL; -        const char *url, *layer = NULL; -        int r; - -        assert(i); -        assert(!i->layer_job); -        assert(!i->temp_path); -        assert(!i->final_path); - -        for (;;) { -                layer = dkr_pull_current_layer(i); -                if (!layer) -                        return 0; /* no more layers */ - -                path = strjoin(i->image_root, "/.dkr-", layer, NULL); -                if (!path) -                        return log_oom(); - -                if (laccess(path, F_OK) < 0) { -                        if (errno == ENOENT) -                                break; - -                        return log_error_errno(errno, "Failed to check for container: %m"); -                } - -                log_info("Layer %s already exists, skipping.", layer); - -                i->current_ancestry++; - -                path = mfree(path); -        } - -        log_info("Pulling layer %s...", layer); - -        i->final_path = path; -        path = NULL; - -        url = strjoina(PROTOCOL_PREFIX, i->response_registries[0], "/v2/", i->name, "/blobs/", layer); -        r = pull_job_new(&i->layer_job, url, i->glue, i); -        if (r < 0) -                return log_error_errno(r, "Failed to allocate layer job: %m"); - -        r = dkr_pull_add_bearer_token(i, i->layer_job); -        if (r < 0) -                return log_oom(); - -        i->layer_job->on_finished = dkr_pull_job_on_finished_v2; -        i->layer_job->on_open_disk = dkr_pull_job_on_open_disk; -        i->layer_job->on_progress = dkr_pull_job_on_progress; -        i->layer_job->grow_machine_directory = i->grow_machine_directory; - -        r = pull_job_begin(i->layer_job); -        if (r < 0) -                return log_error_errno(r, "Failed to start layer job: %m"); - -        return 0; -} - -static int dkr_pull_pull_layer(DkrPull *i) { -        _cleanup_free_ char *path = NULL; -        const char *url, *layer = NULL; -        int r; - -        assert(i); -        assert(!i->layer_job); -        assert(!i->temp_path); -        assert(!i->final_path); - -        for (;;) { -                layer = dkr_pull_current_layer(i); -                if (!layer) -                        return 0; /* no more layers */ - -                path = strjoin(i->image_root, "/.dkr-", layer, NULL); -                if (!path) -                        return log_oom(); - -                if (laccess(path, F_OK) < 0) { -                        if (errno == ENOENT) -                                break; - -                        return log_error_errno(errno, "Failed to check for container: %m"); -                } - -                log_info("Layer %s already exists, skipping.", layer); - -                i->current_ancestry++; - -                path = mfree(path); -        } - -        log_info("Pulling layer %s...", layer); - -        i->final_path = path; -        path = NULL; - -        url = strjoina(PROTOCOL_PREFIX, i->response_registries[0], "/v1/images/", layer, "/layer"); -        r = pull_job_new(&i->layer_job, url, i->glue, i); -        if (r < 0) -                return log_error_errno(r, "Failed to allocate layer job: %m"); - -        r = dkr_pull_add_token(i, i->layer_job); -        if (r < 0) -                return log_oom(); - -        i->layer_job->on_finished = dkr_pull_job_on_finished; -        i->layer_job->on_open_disk = dkr_pull_job_on_open_disk; -        i->layer_job->on_progress = dkr_pull_job_on_progress; -        i->layer_job->grow_machine_directory = i->grow_machine_directory; - -        r = pull_job_begin(i->layer_job); -        if (r < 0) -                return log_error_errno(r, "Failed to start layer job: %m"); - -        return 0; -} - -static int dkr_pull_job_on_header(PullJob *j, const char *header, size_t sz)  { -        _cleanup_free_ char *registry = NULL; -        char *token, *digest; -        DkrPull *i; -        int r; - -        assert(j); -        assert(j->userdata); - -        i = j->userdata; -        r = curl_header_strdup(header, sz, HEADER_TOKEN, &token); -        if (r < 0) -                return log_oom(); -        if (r > 0) { -                free(i->response_token); -                i->response_token = token; -                return 0; -        } - -        r = curl_header_strdup(header, sz, HEADER_DIGEST, &digest); -        if (r < 0) -                return log_oom(); -        if (r > 0) { -                free(i->response_digest); -                i->response_digest = digest; -                return 0; -        } - -        r = curl_header_strdup(header, sz, HEADER_REGISTRY, ®istry); -        if (r < 0) -                return log_oom(); -        if (r > 0) { -                char **l, **k; - -                l = strv_split(registry, ","); -                if (!l) -                        return log_oom(); - -                STRV_FOREACH(k, l) { -                        if (!hostname_is_valid(*k, false)) { -                                log_error("Registry hostname is not valid."); -                                strv_free(l); -                                return -EBADMSG; -                        } -                } - -                strv_free(i->response_registries); -                i->response_registries = l; -        } - -        return 0; -} - -static void dkr_pull_job_on_finished_v2(PullJob *j) { -        DkrPull *i; -        int r; - -        assert(j); -        assert(j->userdata); - -        i = j->userdata; -        if (j->error != 0) { -                if (j == i->images_job) -                        log_error_errno(j->error, "Failed to retrieve images list. (Wrong index URL?)"); -                else if (j == i->ancestry_job) -                        log_error_errno(j->error, "Failed to retrieve manifest."); -                else if (j == i->json_job) -                        log_error_errno(j->error, "Failed to retrieve json data."); -                else -                        log_error_errno(j->error, "Failed to retrieve layer data."); - -                r = j->error; -                goto finish; -        } - -        if (i->images_job == j) { -                const char *url; - -                assert(!i->tags_job); -                assert(!i->ancestry_job); -                assert(!i->json_job); -                assert(!i->layer_job); - -                if (strv_isempty(i->response_registries)) { -                        r = -EBADMSG; -                        log_error("Didn't get registry information."); -                        goto finish; -                } - -                log_info("Index lookup succeeded, directed to registry %s.", i->response_registries[0]); -                dkr_pull_report_progress(i, DKR_RESOLVING); - -                url = strjoina(i->index_protocol, "auth.", i->index_address, "/v2/token/?scope=repository:", -                               i->name, ":pull&service=registry.", i->index_address); -                r = pull_job_new(&i->tags_job, url, i->glue, i); -                if (r < 0) { -                        log_error_errno(r, "Failed to allocate tags job: %m"); -                        goto finish; -                } - -                i->tags_job->on_finished = dkr_pull_job_on_finished_v2; -                i->tags_job->on_progress = dkr_pull_job_on_progress; - -                r = pull_job_begin(i->tags_job); -                if (r < 0) { -                        log_error_errno(r, "Failed to start tags job: %m"); -                        goto finish; -                } - -        } else if (i->tags_job == j) { -                const char *url; -                _cleanup_free_ char *buf; -                _cleanup_json_variant_unref_ JsonVariant *doc = NULL; -                JsonVariant *e = NULL; - -                assert(!i->ancestry_job); -                assert(!i->json_job); -                assert(!i->layer_job); - -                buf = strndup((const char *)j->payload, j->payload_size); -                if (!buf) { -                        r = -ENOMEM; -                        log_oom(); -                        goto finish; -                } - -                r = json_parse(buf, &doc); -                if (r < 0) { -                        log_error("Unable to parse bearer token\n%s", j->payload); -                        goto finish; -                } - -                e = json_variant_value(doc, "token"); -                if (!e || e->type != JSON_VARIANT_STRING) { -                        r = -EBADMSG; -                        log_error("Invalid JSON format for Bearer token"); -                        goto finish; -                } - -                r = free_and_strdup(&i->response_token, json_variant_string(e)); -                if (r < 0) { -                        log_oom(); -                        goto finish; -                } - -                url = strjoina(PROTOCOL_PREFIX, i->response_registries[0], "/v2/", i->name, "/manifests/", i->reference); -                r = pull_job_new(&i->ancestry_job, url, i->glue, i); -                if (r < 0) { -                        log_error_errno(r, "Failed to allocate ancestry job: %m"); -                        goto finish; -                } - -                r = dkr_pull_add_bearer_token(i, i->ancestry_job); -                if (r < 0) -                        goto finish; - -                i->ancestry_job->on_finished = dkr_pull_job_on_finished_v2; -                i->ancestry_job->on_progress = dkr_pull_job_on_progress; -                i->ancestry_job->on_header = dkr_pull_job_on_header; - - -                r = pull_job_begin(i->ancestry_job); -                if (r < 0) { -                        log_error_errno(r, "Failed to start ancestry job: %m"); -                        goto finish; -                } - -        } else if (i->ancestry_job == j) { - -                _cleanup_json_variant_unref_ JsonVariant *doc = NULL, *compat = NULL; -                JsonVariant *e = NULL; -                _cleanup_strv_free_ char **ancestry = NULL; -                size_t allocated = 0, size = 0; -                char *path = NULL, **k = NULL; - -                r = json_parse((const char *)j->payload, &doc); -                if (r < 0) { -                        log_error("Invalid JSON Manifest"); -                        goto finish; -                } - -                e = json_variant_value(doc, "fsLayers"); -                if (!e || e->type != JSON_VARIANT_ARRAY || e->size == 0) { -                        r = -EBADMSG; -                        goto finish; -                } - -                log_info("JSON manifest with schema v%"PRIi64" for %s parsed!", -                                json_variant_integer(json_variant_value(doc, "schemaVersion")), -                                json_variant_string(json_variant_value(doc, "name"))); - -                for (unsigned z = 0; z < e->size; z++) { -                        JsonVariant *f = json_variant_element(e, z), *g = NULL; -                        const char *layer; -                        if (f->type != JSON_VARIANT_OBJECT) { -                                r = -EBADMSG; -                                goto finish; -                        } - -                        g = json_variant_value(f, "blobSum"); - -                        layer = json_variant_string(g); -                        if (!dkr_digest_is_valid(layer)) { -                                r = -EBADMSG; -                                goto finish; -                        } - -                        if (!GREEDY_REALLOC(ancestry, allocated, size + 2)) { -                                r = -ENOMEM; -                                log_oom(); -                                goto finish; -                        } - -                        ancestry[size] = strdup(layer); -                        if (!ancestry[size]) { -                                r = -ENOMEM; -                                log_oom(); -                                goto finish; -                        } - -                        ancestry[size+1] = NULL; -                        size += 1; -                } - -                e = json_variant_value(doc, "history"); -                if (!e || e->type != JSON_VARIANT_ARRAY) { -                        r = -EBADMSG; -                        goto finish; -                } - -                e = json_variant_element(e, 0); -                e = json_variant_value(e, "v1Compatibility"); -                r = json_parse(json_variant_string(e), &compat); -                if (r < 0) { -                        log_error("Invalid v1Compatibility JSON"); -                        goto finish; -                } - -                e = json_variant_value(compat, "id"); - -                strv_free(i->ancestry); -                i->ancestry = strv_reverse(strv_uniq(ancestry)); -                i->n_ancestry = strv_length(i->ancestry); -                i->current_ancestry = 0; -                i->id = strdup(i->ancestry[i->n_ancestry - 1]); -                if (!i->id) { -                        r = -ENOMEM; -                        log_oom(); -                        goto finish; -                } -                path = strjoin(i->image_root, "/.dkr-", json_variant_string(e), NULL); -                if (!path) { -                        r = -ENOMEM; -                        log_oom(); -                        goto finish; -                } -                free(i->image_root); -                i->image_root = path; -                ancestry = NULL; - -                log_info("Required layers:\n"); -                STRV_FOREACH(k, i->ancestry) -                        log_info("\t%s", *k); -                log_info("\nProvenance:\n\tImageID: %s\n\tDigest:  %s", json_variant_string(e), i->response_digest); - -                dkr_pull_report_progress(i, DKR_DOWNLOADING); - -                r = dkr_pull_pull_layer_v2(i); -                if (r < 0) -                        goto finish; - -        } else if (i->layer_job == j) { -                assert(i->temp_path); -                assert(i->final_path); - -                j->disk_fd = safe_close(j->disk_fd); - -                if (i->tar_pid > 0) { -                        r = wait_for_terminate_and_warn("tar", i->tar_pid, true); -                        i->tar_pid = 0; -                        if (r < 0) -                                goto finish; -                } - -                r = aufs_resolve(i->temp_path); -                if (r < 0) { -                        log_error_errno(r, "Failed to resolve aufs whiteouts: %m"); -                        goto finish; -                } - -                r = btrfs_subvol_set_read_only(i->temp_path, true); -                if (r < 0) { -                        log_error_errno(r, "Failed to mark snapshot read-only: %m"); -                        goto finish; -                } - -                if (rename(i->temp_path, i->final_path) < 0) { -                        log_error_errno(errno, "Failed to rename snaphsot: %m"); -                        goto finish; -                } - -                log_info("Completed writing to layer %s.", i->final_path); - -                i->layer_job = pull_job_unref(i->layer_job); -                free(i->temp_path); -                i->temp_path = NULL; -                free(i->final_path); -                i->final_path = NULL; - -                i->current_ancestry ++; -                r = dkr_pull_pull_layer_v2(i); -                if (r < 0) -                        goto finish; - -        } else if (i->json_job != j) -                assert_not_reached("Got finished event for unknown curl object"); - -        if (!dkr_pull_is_done(i)) -                return; - -        dkr_pull_report_progress(i, DKR_COPYING); - -        r = dkr_pull_make_local_copy(i, DKR_PULL_V2); -        if (r < 0) -                goto finish; - -        r = 0; - -finish: -        if (i->on_finished) -                i->on_finished(i, r, i->userdata); -        else -                sd_event_exit(i->event, r); - -} - -static void dkr_pull_job_on_finished(PullJob *j) { -        DkrPull *i; -        int r; - -        assert(j); -        assert(j->userdata); - -        i = j->userdata; -        if (j->error != 0) { -                if (j == i->images_job) -                        log_error_errno(j->error, "Failed to retrieve images list. (Wrong index URL?)"); -                else if (j == i->tags_job) -                        log_error_errno(j->error, "Failed to retrieve tags list."); -                else if (j == i->ancestry_job) -                        log_error_errno(j->error, "Failed to retrieve ancestry list."); -                else if (j == i->json_job) -                        log_error_errno(j->error, "Failed to retrieve json data."); -                else -                        log_error_errno(j->error, "Failed to retrieve layer data."); - -                r = j->error; -                goto finish; -        } - -        if (i->images_job == j) { -                const char *url; - -                assert(!i->tags_job); -                assert(!i->ancestry_job); -                assert(!i->json_job); -                assert(!i->layer_job); - -                if (strv_isempty(i->response_registries)) { -                        r = -EBADMSG; -                        log_error("Didn't get registry information."); -                        goto finish; -                } - -                log_info("Index lookup succeeded, directed to registry %s.", i->response_registries[0]); -                dkr_pull_report_progress(i, DKR_RESOLVING); - -                url = strjoina(PROTOCOL_PREFIX, i->response_registries[0], "/v1/repositories/", i->name, "/tags/", i->reference); -                r = pull_job_new(&i->tags_job, url, i->glue, i); -                if (r < 0) { -                        log_error_errno(r, "Failed to allocate tags job: %m"); -                        goto finish; -                } - -                r = dkr_pull_add_token(i, i->tags_job); -                if (r < 0) { -                        log_oom(); -                        goto finish; -                } - -                i->tags_job->on_finished = dkr_pull_job_on_finished; -                i->tags_job->on_progress = dkr_pull_job_on_progress; - -                r = pull_job_begin(i->tags_job); -                if (r < 0) { -                        log_error_errno(r, "Failed to start tags job: %m"); -                        goto finish; -                } - -        } else if (i->tags_job == j) { -                const char *url; -                char *id = NULL; - -                assert(!i->ancestry_job); -                assert(!i->json_job); -                assert(!i->layer_job); - -                r = parse_id(j->payload, j->payload_size, &id); -                if (r < 0) { -                        log_error_errno(r, "Failed to parse JSON id."); -                        goto finish; -                } - -                free(i->id); -                i->id = id; - -                log_info("Tag lookup succeeded, resolved to layer %s.", i->id); -                dkr_pull_report_progress(i, DKR_METADATA); - -                url = strjoina(PROTOCOL_PREFIX, i->response_registries[0], "/v1/images/", i->id, "/ancestry"); -                r = pull_job_new(&i->ancestry_job, url, i->glue, i); -                if (r < 0) { -                        log_error_errno(r, "Failed to allocate ancestry job: %m"); -                        goto finish; -                } - -                r = dkr_pull_add_token(i, i->ancestry_job); -                if (r < 0) { -                        log_oom(); -                        goto finish; -                } - -                i->ancestry_job->on_finished = dkr_pull_job_on_finished; -                i->ancestry_job->on_progress = dkr_pull_job_on_progress; - -                url = strjoina(PROTOCOL_PREFIX, i->response_registries[0], "/v1/images/", i->id, "/json"); -                r = pull_job_new(&i->json_job, url, i->glue, i); -                if (r < 0) { -                        log_error_errno(r, "Failed to allocate json job: %m"); -                        goto finish; -                } - -                r = dkr_pull_add_token(i, i->json_job); -                if (r < 0) { -                        log_oom(); -                        goto finish; -                } - -                i->json_job->on_finished = dkr_pull_job_on_finished; -                i->json_job->on_progress = dkr_pull_job_on_progress; - -                r = pull_job_begin(i->ancestry_job); -                if (r < 0) { -                        log_error_errno(r, "Failed to start ancestry job: %m"); -                        goto finish; -                } - -                r = pull_job_begin(i->json_job); -                if (r < 0) { -                        log_error_errno(r, "Failed to start json job: %m"); -                        goto finish; -                } - -        } else if (i->ancestry_job == j) { -                char **ancestry = NULL, **k; -                unsigned n; - -                assert(!i->layer_job); - -                r = parse_ancestry(j->payload, j->payload_size, &ancestry); -                if (r < 0) { -                        log_error_errno(r, "Failed to parse JSON id."); -                        goto finish; -                } - -                n = strv_length(ancestry); -                if (n <= 0 || !streq(ancestry[n-1], i->id)) { -                        log_error("Ancestry doesn't end in main layer."); -                        strv_free(ancestry); -                        r = -EBADMSG; -                        goto finish; -                } - -                log_info("Ancestor lookup succeeded, requires layers:\n"); -                STRV_FOREACH(k, ancestry) -                        log_info("\t%s", *k); - -                strv_free(i->ancestry); -                i->ancestry = ancestry; -                i->n_ancestry = n; -                i->current_ancestry = 0; - -                dkr_pull_report_progress(i, DKR_DOWNLOADING); - -                r = dkr_pull_pull_layer(i); -                if (r < 0) -                        goto finish; - -        } else if (i->layer_job == j) { -                assert(i->temp_path); -                assert(i->final_path); - -                j->disk_fd = safe_close(j->disk_fd); - -                if (i->tar_pid > 0) { -                        r = wait_for_terminate_and_warn("tar", i->tar_pid, true); -                        i->tar_pid = 0; -                        if (r < 0) -                                goto finish; -                } - -                r = aufs_resolve(i->temp_path); -                if (r < 0) { -                        log_error_errno(r, "Failed to resolve aufs whiteouts: %m"); -                        goto finish; -                } - -                r = btrfs_subvol_set_read_only(i->temp_path, true); -                if (r < 0) { -                        log_error_errno(r, "Failed to mark snapshot read-only: %m"); -                        goto finish; -                } - -                if (rename(i->temp_path, i->final_path) < 0) { -                        log_error_errno(errno, "Failed to rename snaphsot: %m"); -                        goto finish; -                } - -                log_info("Completed writing to layer %s.", i->final_path); - -                i->layer_job = pull_job_unref(i->layer_job); -                i->temp_path = mfree(i->temp_path); -                i->final_path = mfree(i->final_path); - -                i->current_ancestry ++; -                r = dkr_pull_pull_layer(i); -                if (r < 0) -                        goto finish; - -        } else if (i->json_job != j) -                assert_not_reached("Got finished event for unknown curl object"); - -        if (!dkr_pull_is_done(i)) -                return; - -        dkr_pull_report_progress(i, DKR_COPYING); - -        r = dkr_pull_make_local_copy(i, DKR_PULL_V1); -        if (r < 0) -                goto finish; - -        r = 0; -finish: -        if (i->on_finished) -                i->on_finished(i, r, i->userdata); -        else -                sd_event_exit(i->event, r); -} - -static int get_protocol_address(char **protocol, char **address, const char *url) { -        const char *sep, *dot; -        _cleanup_free_ char *a = NULL, *p = NULL; - -        sep = strstr(url, "://"); -        if (!sep) -                return -EINVAL; - -        dot = strrchr(url, '.'); -        if (!dot) -                return -EINVAL; -        dot--; - -        p = strndup(url, (sep - url) + 3); -        if (!p) -                return log_oom(); - -        while (dot > (sep + 3) && *dot != '.') -                dot--; - -        a = strdup(dot + 1); -        if (!a) -                return log_oom(); - -        *address = a; -        *protocol = p; -        a = p = NULL; - -        return 0; -} - -int dkr_pull_start(DkrPull *i, const char *name, const char *reference, const char *local, bool force_local, DkrPullVersion version) { -        const char *url; -        int r; - -        assert(i); - -        if (!dkr_name_is_valid(name)) -                return -EINVAL; - -        if (reference && !dkr_ref_is_valid(reference)) -                return -EINVAL; - -        if (local && !machine_name_is_valid(local)) -                return -EINVAL; - -        if (i->images_job) -                return -EBUSY; - -        if (!reference) -                reference = "latest"; - -        free(i->index_protocol); -        free(i->index_address); -        r = get_protocol_address(&i->index_protocol, &i->index_address, i->index_url); -        if (r < 0) -                return r; - -        r = free_and_strdup(&i->local, local); -        if (r < 0) -                return r; -        i->force_local = force_local; - -        r = free_and_strdup(&i->name, name); -        if (r < 0) -                return r; -        r = free_and_strdup(&i->reference, reference); -        if (r < 0) -                return r; - -        url = strjoina(i->index_url, "/v1/repositories/", name, "/images"); - -        r = pull_job_new(&i->images_job, url, i->glue, i); -        if (r < 0) -                return r; - -        r = dkr_pull_add_token(i, i->images_job); -        if (r < 0) -                return r; - -        if (version == DKR_PULL_V1) -                i->images_job->on_finished = dkr_pull_job_on_finished; -        else -                i->images_job->on_finished = dkr_pull_job_on_finished_v2; - -        i->images_job->on_header = dkr_pull_job_on_header; -        i->images_job->on_progress = dkr_pull_job_on_progress; - -        return pull_job_begin(i->images_job); -} diff --git a/src/import/pull.c b/src/import/pull.c index fc93228a0b..e0631bdeaf 100644 --- a/src/import/pull.c +++ b/src/import/pull.c @@ -28,7 +28,6 @@  #include "import-util.h"  #include "machine-image.h"  #include "parse-util.h" -#include "pull-dkr.h"  #include "pull-raw.h"  #include "pull-tar.h"  #include "signal-util.h" @@ -39,7 +38,6 @@  static bool arg_force = false;  static const char *arg_image_root = "/var/lib/machines";  static ImportVerify arg_verify = IMPORT_VERIFY_SIGNATURE; -static const char* arg_dkr_index_url = DEFAULT_DKR_INDEX_URL;  static bool arg_settings = true;  static int interrupt_signal_handler(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { @@ -220,114 +218,6 @@ static int pull_raw(int argc, char *argv[], void *userdata) {          return -r;  } -static void on_dkr_finished(DkrPull *pull, int error, void *userdata) { -        sd_event *event = userdata; -        assert(pull); - -        if (error == 0) -                log_info("Operation completed successfully."); - -        sd_event_exit(event, abs(error)); -} - -static int pull_dkr(int argc, char *argv[], void *userdata) { -        _cleanup_(dkr_pull_unrefp) DkrPull *pull = NULL; -        _cleanup_(sd_event_unrefp) sd_event *event = NULL; -        const char *name, *reference, *local, *digest; -        int r; - -        if (!arg_dkr_index_url) { -                log_error("Please specify an index URL with --dkr-index-url="); -                return -EINVAL; -        } - -        if (arg_verify != IMPORT_VERIFY_NO) { -                log_error("Pulls from dkr do not support image verification, please pass --verify=no."); -                return -EINVAL; -        } - -        digest = strchr(argv[1], '@'); -        if (digest) { -                reference = digest + 1; -                name = strndupa(argv[1], digest - argv[1]); -        } else { -                reference = strchr(argv[1], ':'); -                if (reference) { -                        name = strndupa(argv[1], reference - argv[1]); -                        reference++; -                } else { -                        name = argv[1]; -                        reference = "latest"; -                } -        } - -        if (!dkr_name_is_valid(name)) { -                log_error("Remote name '%s' is not valid.", name); -                return -EINVAL; -        } - -        if (!dkr_ref_is_valid(reference)) { -                log_error("Tag name '%s' is not valid.", reference); -                return -EINVAL; -        } - -        if (argc >= 3) -                local = argv[2]; -        else { -                local = strchr(name, '/'); -                if (local) -                        local++; -                else -                        local = name; -        } - -        if (isempty(local) || streq(local, "-")) -                local = NULL; - -        if (local) { -                if (!machine_name_is_valid(local)) { -                        log_error("Local image name '%s' is not valid.", local); -                        return -EINVAL; -                } - -                if (!arg_force) { -                        r = image_find(local, NULL); -                        if (r < 0) -                                return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local); -                        else if (r > 0) { -                                log_error_errno(EEXIST, "Image '%s' already exists.", local); -                                return -EEXIST; -                        } -                } - -                log_info("Pulling '%s' with reference '%s', saving as '%s'.", name, reference, local); -        } else -                log_info("Pulling '%s' with reference '%s'.", name, reference); - -        r = sd_event_default(&event); -        if (r < 0) -                return log_error_errno(r, "Failed to allocate event loop: %m"); - -        assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0); -        (void) sd_event_add_signal(event, NULL, SIGTERM, interrupt_signal_handler,  NULL); -        (void) sd_event_add_signal(event, NULL, SIGINT, interrupt_signal_handler, NULL); - -        r = dkr_pull_new(&pull, event, arg_dkr_index_url, arg_image_root, on_dkr_finished, event); -        if (r < 0) -                return log_error_errno(r, "Failed to allocate puller: %m"); - -        r = dkr_pull_start(pull, name, reference, local, arg_force, DKR_PULL_V2); -        if (r < 0) -                return log_error_errno(r, "Failed to pull image: %m"); - -        r = sd_event_loop(event); -        if (r < 0) -                return log_error_errno(r, "Failed to run event loop: %m"); - -        log_info("Exiting."); -        return -r; -} -  static int help(int argc, char *argv[], void *userdata) {          printf("%s [OPTIONS...] {COMMAND} ...\n\n" @@ -338,12 +228,10 @@ static int help(int argc, char *argv[], void *userdata) {                 "     --verify=MODE            Verify downloaded image, one of: 'no',\n"                 "                              'checksum', 'signature'\n"                 "     --settings=BOOL          Download settings file with image\n" -               "     --image-root=PATH        Image root directory\n" -               "     --dkr-index-url=URL      Specify index URL to use for downloads\n\n" +               "     --image-root=PATH        Image root directory\n\n"                 "Commands:\n"                 "  tar URL [NAME]              Download a TAR image\n" -               "  raw URL [NAME]              Download a RAW image\n" -               "  dkr REMOTE [NAME]           Download a DKR image\n", +               "  raw URL [NAME]              Download a RAW image\n",                 program_invocation_short_name);          return 0; @@ -354,7 +242,6 @@ static int parse_argv(int argc, char *argv[]) {          enum {                  ARG_VERSION = 0x100,                  ARG_FORCE, -                ARG_DKR_INDEX_URL,                  ARG_IMAGE_ROOT,                  ARG_VERIFY,                  ARG_SETTINGS, @@ -364,7 +251,6 @@ static int parse_argv(int argc, char *argv[]) {                  { "help",            no_argument,       NULL, 'h'                 },                  { "version",         no_argument,       NULL, ARG_VERSION         },                  { "force",           no_argument,       NULL, ARG_FORCE           }, -                { "dkr-index-url",   required_argument, NULL, ARG_DKR_INDEX_URL   },                  { "image-root",      required_argument, NULL, ARG_IMAGE_ROOT      },                  { "verify",          required_argument, NULL, ARG_VERIFY          },                  { "settings",        required_argument, NULL, ARG_SETTINGS        }, @@ -390,15 +276,6 @@ static int parse_argv(int argc, char *argv[]) {                          arg_force = true;                          break; -                case ARG_DKR_INDEX_URL: -                        if (!http_url_is_valid(optarg)) { -                                log_error("Index URL is not valid: %s", optarg); -                                return -EINVAL; -                        } - -                        arg_dkr_index_url = optarg; -                        break; -                  case ARG_IMAGE_ROOT:                          arg_image_root = optarg;                          break; @@ -436,7 +313,6 @@ static int pull_main(int argc, char *argv[]) {                  { "help", VERB_ANY, VERB_ANY, 0, help     },                  { "tar",  2,        3,        0, pull_tar },                  { "raw",  2,        3,        0, pull_raw }, -                { "dkr",  2,        3,        0, pull_dkr },                  {}          }; diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c index 751e1423fc..9e362bacae 100644 --- a/src/journal/journal-file.c +++ b/src/journal/journal-file.c @@ -169,8 +169,7 @@ JournalFile* journal_file_close(JournalFile *f) {          safe_close(f->fd);          free(f->path); -        if (f->mmap) -                mmap_cache_unref(f->mmap); +        mmap_cache_unref(f->mmap);          ordered_hashmap_free_free(f->chain_cache); diff --git a/src/journal/mmap-cache.c b/src/journal/mmap-cache.c index 5a07ddda76..eb4b092e80 100644 --- a/src/journal/mmap-cache.c +++ b/src/journal/mmap-cache.c @@ -348,7 +348,10 @@ static void mmap_cache_free(MMapCache *m) {  }  MMapCache* mmap_cache_unref(MMapCache *m) { -        assert(m); + +        if (!m) +                return NULL; +          assert(m->n_ref > 0);          m->n_ref --; diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c index 3191b458d1..7fccbd1a71 100644 --- a/src/libsystemd/sd-event/sd-event.c +++ b/src/libsystemd/sd-event/sd-event.c @@ -37,6 +37,7 @@  #include "process-util.h"  #include "set.h"  #include "signal-util.h" +#include "string-table.h"  #include "string-util.h"  #include "time-util.h"  #include "util.h" @@ -60,6 +61,23 @@ typedef enum EventSourceType {          _SOURCE_EVENT_SOURCE_TYPE_INVALID = -1  } EventSourceType; +static const char* const event_source_type_table[_SOURCE_EVENT_SOURCE_TYPE_MAX] = { +        [SOURCE_IO] = "io", +        [SOURCE_TIME_REALTIME] = "realtime", +        [SOURCE_TIME_BOOTTIME] = "bootime", +        [SOURCE_TIME_MONOTONIC] = "monotonic", +        [SOURCE_TIME_REALTIME_ALARM] = "realtime-alarm", +        [SOURCE_TIME_BOOTTIME_ALARM] = "boottime-alarm", +        [SOURCE_SIGNAL] = "signal", +        [SOURCE_CHILD] = "child", +        [SOURCE_DEFER] = "defer", +        [SOURCE_POST] = "post", +        [SOURCE_EXIT] = "exit", +        [SOURCE_WATCHDOG] = "watchdog", +}; + +DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(event_source_type, int); +  /* All objects we use in epoll events start with this value, so that   * we know how to dispatch it */  typedef enum WakeupType { @@ -482,7 +500,8 @@ static void source_io_unregister(sd_event_source *s) {          r = epoll_ctl(s->event->epoll_fd, EPOLL_CTL_DEL, s->io.fd, NULL);          if (r < 0) -                log_debug_errno(errno, "Failed to remove source %s from epoll: %m", strna(s->description)); +                log_debug_errno(errno, "Failed to remove source %s (type %s) from epoll: %m", +                                strna(s->description), event_source_type_to_string(s->type));          s->io.registered = false;  } @@ -2281,12 +2300,9 @@ static int source_dispatch(sd_event_source *s) {          s->dispatching = false; -        if (r < 0) { -                if (s->description) -                        log_debug_errno(r, "Event source '%s' returned error, disabling: %m", s->description); -                else -                        log_debug_errno(r, "Event source %p returned error, disabling: %m", s); -        } +        if (r < 0) +                log_debug_errno(r, "Event source %s (type %s) returned error, disabling: %m", +                                strna(s->description), event_source_type_to_string(s->type));          if (s->n_ref == 0)                  source_free(s); @@ -2319,12 +2335,9 @@ static int event_prepare(sd_event *e) {                  r = s->prepare(s, s->userdata);                  s->dispatching = false; -                if (r < 0) { -                        if (s->description) -                                log_debug_errno(r, "Prepare callback of event source '%s' returned error, disabling: %m", s->description); -                        else -                                log_debug_errno(r, "Prepare callback of event source %p returned error, disabling: %m", s); -                } +                if (r < 0) +                        log_debug_errno(r, "Prepare callback of event source %s (type %s) returned error, disabling: %m", +                                        strna(s->description), event_source_type_to_string(s->type));                  if (s->n_ref == 0)                          source_free(s); diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index c1643cf41a..4631f5fc90 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -1944,9 +1944,9 @@ static int method_schedule_shutdown(sd_bus_message *message, void *userdata, sd_                  action_multiple_sessions = "org.freedesktop.login1.halt-multiple-sessions";                  action_ignore_inhibit = "org.freedesktop.login1.halt-ignore-inhibit";          } else if (streq(type, "poweroff")) { -                action = "org.freedesktop.login1.poweroff"; -                action_multiple_sessions = "org.freedesktop.login1.poweroff-multiple-sessions"; -                action_ignore_inhibit = "org.freedesktop.login1.poweroff-ignore-inhibit"; +                action = "org.freedesktop.login1.power-off"; +                action_multiple_sessions = "org.freedesktop.login1.power-off-multiple-sessions"; +                action_ignore_inhibit = "org.freedesktop.login1.power-off-ignore-inhibit";          } else                  return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unsupported shutdown type"); diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c index 0a01bd3e20..685bbafdf1 100644 --- a/src/machine/machinectl.c +++ b/src/machine/machinectl.c @@ -78,7 +78,6 @@ static unsigned arg_lines = 10;  static OutputMode arg_output = OUTPUT_SHORT;  static bool arg_force = false;  static ImportVerify arg_verify = IMPORT_VERIFY_SIGNATURE; -static const char* arg_dkr_index_url = NULL;  static const char* arg_format = NULL;  static const char *arg_uid = NULL;  static char **arg_setenv = NULL; @@ -2166,78 +2165,6 @@ static int pull_raw(int argc, char *argv[], void *userdata) {          return transfer_image_common(bus, m);  } -static int pull_dkr(int argc, char *argv[], void *userdata) { -        _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; -        const char *local, *remote, *tag; -        sd_bus *bus = userdata; -        int r; - -        if (arg_verify != IMPORT_VERIFY_NO) { -                log_error("Imports from DKR do not support image verification, please pass --verify=no."); -                return -EINVAL; -        } - -        remote = argv[1]; -        tag = strchr(remote, ':'); -        if (tag) { -                remote = strndupa(remote, tag - remote); -                tag++; -        } - -        if (!dkr_name_is_valid(remote)) { -                log_error("DKR name '%s' is invalid.", remote); -                return -EINVAL; -        } -        if (tag && !dkr_tag_is_valid(tag)) { -                log_error("DKR tag '%s' is invalid.", remote); -                return -EINVAL; -        } - -        if (argc >= 3) -                local = argv[2]; -        else { -                local = strchr(remote, '/'); -                if (local) -                        local++; -                else -                        local = remote; -        } - -        if (isempty(local) || streq(local, "-")) -                local = NULL; - -        if (local) { -                if (!machine_name_is_valid(local)) { -                        log_error("Local name %s is not a suitable machine name.", local); -                        return -EINVAL; -                } -        } - -        r = sd_bus_message_new_method_call( -                        bus, -                        &m, -                        "org.freedesktop.import1", -                        "/org/freedesktop/import1", -                        "org.freedesktop.import1.Manager", -                        "PullDkr"); -        if (r < 0) -                return bus_log_create_error(r); - -        r = sd_bus_message_append( -                        m, -                        "sssssb", -                        arg_dkr_index_url, -                        remote, -                        tag, -                        local, -                        import_verify_to_string(arg_verify), -                        arg_force); -        if (r < 0) -                return bus_log_create_error(r); - -        return transfer_image_common(bus, m); -} -  typedef struct TransferInfo {          uint32_t id;          const char *type; @@ -2452,9 +2379,7 @@ static int help(int argc, char *argv[], void *userdata) {                 "                              json-pretty, json-sse, cat)\n"                 "      --verify=MODE           Verification mode for downloaded images (no,\n"                 "                              checksum, signature)\n" -               "      --force                 Download image even if already exists\n" -               "      --dkr-index-url=URL     Specify the index URL to use for DKR image\n" -               "                              downloads\n\n" +               "      --force                 Download image even if already exists\n\n"                 "Machine Commands:\n"                 "  list                        List running VMs and containers\n"                 "  status NAME...              Show VM/container details\n" @@ -2486,7 +2411,6 @@ static int help(int argc, char *argv[], void *userdata) {                 "Image Transfer Commands:\n"                 "  pull-tar URL [NAME]         Download a TAR container image\n"                 "  pull-raw URL [NAME]         Download a RAW container or VM image\n" -               "  pull-dkr REMOTE [NAME]      Download a DKR container image\n"                 "  import-tar FILE [NAME]      Import a local TAR container image\n"                 "  import-raw FILE [NAME]      Import a local RAW container or VM image\n"                 "  export-tar NAME [FILE]      Export a TAR container image locally\n" @@ -2510,7 +2434,6 @@ static int parse_argv(int argc, char *argv[]) {                  ARG_NO_ASK_PASSWORD,                  ARG_VERIFY,                  ARG_FORCE, -                ARG_DKR_INDEX_URL,                  ARG_FORMAT,                  ARG_UID,                  ARG_SETENV, @@ -2536,7 +2459,6 @@ static int parse_argv(int argc, char *argv[]) {                  { "no-ask-password", no_argument,       NULL, ARG_NO_ASK_PASSWORD },                  { "verify",          required_argument, NULL, ARG_VERIFY          },                  { "force",           no_argument,       NULL, ARG_FORCE           }, -                { "dkr-index-url",   required_argument, NULL, ARG_DKR_INDEX_URL   },                  { "format",          required_argument, NULL, ARG_FORMAT          },                  { "uid",             required_argument, NULL, ARG_UID             },                  { "setenv",          required_argument, NULL, ARG_SETENV          }, @@ -2650,15 +2572,6 @@ static int parse_argv(int argc, char *argv[]) {                          arg_force = true;                          break; -                case ARG_DKR_INDEX_URL: -                        if (!http_url_is_valid(optarg)) { -                                log_error("Index URL is invalid: %s", optarg); -                                return -EINVAL; -                        } - -                        arg_dkr_index_url = optarg; -                        break; -                  case ARG_FORMAT:                          if (!STR_IN_SET(optarg, "uncompressed", "xz", "gzip", "bzip2")) {                                  log_error("Unknown format: %s", optarg); @@ -2725,7 +2638,6 @@ static int machinectl_main(int argc, char *argv[], sd_bus *bus) {                  { "export-raw",      2,        3,        0,            export_raw        },                  { "pull-tar",        2,        3,        0,            pull_tar          },                  { "pull-raw",        2,        3,        0,            pull_raw          }, -                { "pull-dkr",        2,        3,        0,            pull_dkr          },                  { "list-transfers",  VERB_ANY, 1,        0,            list_transfers    },                  { "cancel-transfer", 2,        VERB_ANY, 0,            cancel_transfer   },                  { "set-limit",       2,        3,        0,            set_limit         }, diff --git a/src/resolve-host/resolve-host.c b/src/resolve-host/resolve-host.c index 0f154d9798..3e4b52a3a9 100644 --- a/src/resolve-host/resolve-host.c +++ b/src/resolve-host/resolve-host.c @@ -38,7 +38,7 @@  static int arg_family = AF_UNSPEC;  static int arg_ifindex = 0; -static int arg_type = 0; +static uint16_t arg_type = 0;  static uint16_t arg_class = 0;  static bool arg_legend = true;  static uint64_t arg_flags = 0; @@ -347,7 +347,6 @@ static int resolve_record(sd_bus *bus, const char *name) {          if (r < 0)                  return bus_log_create_error(r); -        assert((uint16_t) arg_type == arg_type);          r = sd_bus_message_append(req, "isqqt", arg_ifindex, name, arg_class, arg_type, arg_flags);          if (r < 0)                  return bus_log_create_error(r); @@ -399,7 +398,7 @@ static int resolve_record(sd_bus *bus, const char *name) {                  if (r < 0)                          return log_oom(); -                r = dns_packet_read_rr(p, &rr, NULL); +                r = dns_packet_read_rr(p, &rr, NULL, NULL);                  if (r < 0) {                          log_error("Failed to parse RR.");                          return r; @@ -758,12 +757,13 @@ static int parse_argv(int argc, char *argv[]) {                                  return 0;                          } -                        arg_type = dns_type_from_string(optarg); -                        if (arg_type < 0) { +                        r = dns_type_from_string(optarg); +                        if (r < 0) {                                  log_error("Failed to parse RR record type %s", optarg); -                                return arg_type; +                                return r;                          } -                        assert(arg_type > 0 && (uint16_t) arg_type == arg_type); +                        arg_type = (uint16_t) r; +                        assert((int) arg_type == r);                          break; @@ -773,11 +773,13 @@ static int parse_argv(int argc, char *argv[]) {                                  return 0;                          } -                        r = dns_class_from_string(optarg, &arg_class); +                        r = dns_class_from_string(optarg);                          if (r < 0) {                                  log_error("Failed to parse RR record class %s", optarg);                                  return r;                          } +                        arg_class = (uint16_t) r; +                        assert((int) arg_class == r);                          break; diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c index 63b4b36e88..cc52ef9abe 100644 --- a/src/resolve/dns-type.c +++ b/src/resolve/dns-type.c @@ -20,6 +20,7 @@  ***/  #include "dns-type.h" +#include "string-util.h"  typedef const struct {          uint16_t type; @@ -44,7 +45,79 @@ int dns_type_from_string(const char *s) {          return sc->id;  } -/* XXX: find an authoritative list of all pseudo types? */ -bool dns_type_is_pseudo(int n) { -        return IN_SET(n, DNS_TYPE_ANY, DNS_TYPE_AXFR, DNS_TYPE_IXFR, DNS_TYPE_OPT); +bool dns_type_is_pseudo(uint16_t type) { + +        /* Checks whether the specified type is a "pseudo-type". What +         * a "pseudo-type" precisely is, is defined only very weakly, +         * but apparently entails all RR types that are not actually +         * stored as RRs on the server and should hence also not be +         * cached. We use this list primarily to validate NSEC type +         * bitfields, and to verify what to cache. */ + +        return IN_SET(type, +                      0, /* A Pseudo RR type, according to RFC 2931 */ +                      DNS_TYPE_ANY, +                      DNS_TYPE_AXFR, +                      DNS_TYPE_IXFR, +                      DNS_TYPE_OPT, +                      DNS_TYPE_TSIG, +                      DNS_TYPE_TKEY +        ); +} + +bool dns_class_is_pseudo(uint16_t class) { +        return class == DNS_TYPE_ANY; +} + +bool dns_type_is_valid_query(uint16_t type) { + +        /* The types valid as questions in packets */ + +        return !IN_SET(type, +                       0, +                       DNS_TYPE_OPT, +                       DNS_TYPE_TSIG, +                       DNS_TYPE_TKEY); +} + +bool dns_type_is_valid_rr(uint16_t type) { + +        /* The types valid as RR in packets (but not necessarily +         * stored on servers). */ + +        return !IN_SET(type, +                       DNS_TYPE_ANY, +                       DNS_TYPE_AXFR, +                       DNS_TYPE_IXFR); +} + +bool dns_class_is_valid_rr(uint16_t class) { +        return class != DNS_CLASS_ANY; +} + +const char *dns_class_to_string(uint16_t class) { + +        switch (class) { + +        case DNS_CLASS_IN: +                return "IN"; + +        case DNS_CLASS_ANY: +                return "ANY"; +        } + +        return NULL; +} + +int dns_class_from_string(const char *s) { + +        if (!s) +                return _DNS_CLASS_INVALID; + +        if (strcaseeq(s, "IN")) +                return DNS_CLASS_IN; +        else if (strcaseeq(s, "ANY")) +                return DNS_CLASS_ANY; + +        return _DNS_CLASS_INVALID;  } diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h index 950af36ee3..bea0adaa16 100644 --- a/src/resolve/dns-type.h +++ b/src/resolve/dns-type.h @@ -23,10 +23,6 @@  #include "macro.h" -const char *dns_type_to_string(int type); -int dns_type_from_string(const char *s); -bool dns_type_is_pseudo(int n); -  /* DNS record types, taken from   * http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml.   */ @@ -119,3 +115,25 @@ enum {  assert_cc(DNS_TYPE_SSHFP == 44);  assert_cc(DNS_TYPE_TLSA == 52);  assert_cc(DNS_TYPE_ANY == 255); + +/* DNS record classes, see RFC 1035 */ +enum { +        DNS_CLASS_IN   = 0x01, +        DNS_CLASS_ANY  = 0xFF, + +        _DNS_CLASS_MAX, +        _DNS_CLASS_INVALID = -1 +}; + +bool dns_type_is_pseudo(uint16_t type); +bool dns_type_is_valid_query(uint16_t type); +bool dns_type_is_valid_rr(uint16_t type); + +bool dns_class_is_pseudo(uint16_t class); +bool dns_class_is_valid_rr(uint16_t class); + +const char *dns_type_to_string(int type); +int dns_type_from_string(const char *s); + +const char *dns_class_to_string(uint16_t type); +int dns_class_from_string(const char *name); diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c index 0ceca56371..af08a0555d 100644 --- a/src/resolve/resolved-bus.c +++ b/src/resolve/resolved-bus.c @@ -60,7 +60,11 @@ static int reply_query_state(DnsQuery *q) {          case DNS_TRANSACTION_ABORTED:                  return sd_bus_reply_method_errorf(q->request, BUS_ERROR_ABORTED, "Query aborted"); -        case DNS_TRANSACTION_FAILURE: { +        case DNS_TRANSACTION_DNSSEC_FAILED: +                return sd_bus_reply_method_errorf(q->request, BUS_ERROR_ABORTED, "DNSSEC validation failed: %s", +                                                  dnssec_result_to_string(q->answer_dnssec_result)); + +        case DNS_TRANSACTION_RCODE_FAILURE: {                  _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;                  if (q->answer_rcode == DNS_RCODE_NXDOMAIN) @@ -550,6 +554,9 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd          if (r == 0)                  return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid name '%s'", name); +        if (!dns_type_is_valid_query(type)) +                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid RR type for query %" PRIu16, type); +          r = check_ifindex_flags(ifindex, &flags, 0, error);          if (r < 0)                  return r; diff --git a/src/resolve/resolved-def.h b/src/resolve/resolved-def.h index db5ee57b51..6014d345f3 100644 --- a/src/resolve/resolved-def.h +++ b/src/resolve/resolved-def.h @@ -24,6 +24,8 @@  #define SD_RESOLVED_DNS           (UINT64_C(1) << 0)  #define SD_RESOLVED_LLMNR_IPV4    (UINT64_C(1) << 1)  #define SD_RESOLVED_LLMNR_IPV6    (UINT64_C(1) << 2) +#define SD_RESOLVED_MDNS_IPV4     (UINT64_C(1) << 3) +#define SD_RESOLVED_MDNS_IPV6     (UINT64_C(1) << 4)  #define SD_RESOLVED_NO_CNAME      (UINT64_C(1) << 5)  #define SD_RESOLVED_NO_TXT        (UINT64_C(1) << 6)  #define SD_RESOLVED_NO_ADDRESS    (UINT64_C(1) << 7) @@ -31,4 +33,6 @@  #define SD_RESOLVED_AUTHENTICATED (UINT64_C(1) << 9)  #define SD_RESOLVED_LLMNR         (SD_RESOLVED_LLMNR_IPV4|SD_RESOLVED_LLMNR_IPV6) -#define SD_RESOLVED_PROTOCOLS_ALL (SD_RESOLVED_LLMNR|SD_RESOLVED_DNS) +#define SD_RESOLVED_MDNS          (SD_RESOLVED_MDNS_IPV4|SD_RESOLVED_MDNS_IPV6) + +#define SD_RESOLVED_PROTOCOLS_ALL (SD_RESOLVED_MDNS|SD_RESOLVED_LLMNR|SD_RESOLVED_DNS) diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c index 4db67f7278..70577453e8 100644 --- a/src/resolve/resolved-dns-answer.c +++ b/src/resolve/resolved-dns-answer.c @@ -22,6 +22,7 @@  #include "alloc-util.h"  #include "dns-domain.h"  #include "resolved-dns-answer.h" +#include "resolved-dns-dnssec.h"  #include "string-util.h"  DnsAnswer *dns_answer_new(unsigned n) { @@ -46,6 +47,18 @@ DnsAnswer *dns_answer_ref(DnsAnswer *a) {          return a;  } +static void dns_answer_flush(DnsAnswer *a) { +        DnsResourceRecord *rr; + +        if (!a) +                return; + +        DNS_ANSWER_FOREACH(rr, a) +                dns_resource_record_unref(rr); + +        a->n_rrs = 0; +} +  DnsAnswer *dns_answer_unref(DnsAnswer *a) {          if (!a)                  return NULL; @@ -53,11 +66,7 @@ DnsAnswer *dns_answer_unref(DnsAnswer *a) {          assert(a->n_ref > 0);          if (a->n_ref == 1) { -                unsigned i; - -                for (i = 0; i < a->n_rrs; i++) -                        dns_resource_record_unref(a->items[i].rr); - +                dns_answer_flush(a);                  free(a);          } else                  a->n_ref--; @@ -65,7 +74,39 @@ DnsAnswer *dns_answer_unref(DnsAnswer *a) {          return NULL;  } -int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex) { +static int dns_answer_add_raw(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) { +        assert(rr); + +        if (!a) +                return -ENOSPC; + +        if (a->n_rrs >= a->n_allocated) +                return -ENOSPC; + +        a->items[a->n_rrs++] = (DnsAnswerItem) { +                .rr = dns_resource_record_ref(rr), +                .ifindex = ifindex, +                .flags = flags, +        }; + +        return 1; +} + +static int dns_answer_add_raw_all(DnsAnswer *a, DnsAnswer *source) { +        DnsResourceRecord *rr; +        DnsAnswerFlags flags; +        int ifindex, r; + +        DNS_ANSWER_FOREACH_FULL(rr, ifindex, flags, source) { +                r = dns_answer_add_raw(a, rr, ifindex, flags); +                if (r < 0) +                        return r; +        } + +        return 0; +} + +int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) {          unsigned i;          int r; @@ -73,6 +114,8 @@ int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex) {          if (!a)                  return -ENOSPC; +        if (a->n_ref > 1) +                return -EBUSY;          for (i = 0; i < a->n_rrs; i++) {                  if (a->items[i].ifindex != ifindex) @@ -91,18 +134,39 @@ int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex) {                                  a->items[i].rr = rr;                          } +                        a->items[i].flags |= flags;                          return 0;                  }          } -        if (a->n_rrs >= a->n_allocated) -                return -ENOSPC; +        return dns_answer_add_raw(a, rr, ifindex, flags); +} -        a->items[a->n_rrs].rr = dns_resource_record_ref(rr); -        a->items[a->n_rrs].ifindex = ifindex; -        a->n_rrs++; +static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) { +        DnsResourceRecord *rr; +        DnsAnswerFlags flags; +        int ifindex, r; -        return 1; +        DNS_ANSWER_FOREACH_FULL(rr, ifindex, flags, b) { +                r = dns_answer_add(a, rr, ifindex, flags); +                if (r < 0) +                        return r; +        } + +        return 0; +} + +int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) { +        int r; + +        assert(a); +        assert(rr); + +        r = dns_answer_reserve_or_clone(a, 1); +        if (r < 0) +                return r; + +        return dns_answer_add(*a, rr, ifindex, flags);  }  int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl) { @@ -128,59 +192,163 @@ int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl) {          soa->soa.expire = 1;          soa->soa.minimum = ttl; -        return dns_answer_add(a, soa, 0); +        return dns_answer_add(a, soa, 0, DNS_ANSWER_AUTHENTICATED);  } -int dns_answer_contains(DnsAnswer *a, DnsResourceKey *key) { -        unsigned i; +int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *ret_flags) { +        DnsAnswerFlags flags = 0, i_flags; +        DnsResourceRecord *i; +        bool found = false;          int r;          assert(key); -        if (!a) -                return 0; - -        for (i = 0; i < a->n_rrs; i++) { -                r = dns_resource_key_match_rr(key, a->items[i].rr, NULL); +        DNS_ANSWER_FOREACH_FLAGS(i, i_flags, a) { +                r = dns_resource_key_match_rr(key, i, NULL);                  if (r < 0)                          return r; -                if (r > 0) +                if (r == 0) +                        continue; + +                if (!ret_flags)                          return 1; + +                if (found) +                        flags &= i_flags; +                else { +                        flags = i_flags; +                        found = true; +                }          } -        return 0; +        if (ret_flags) +                *ret_flags = flags; + +        return found;  } -int dns_answer_match_soa(DnsResourceKey *key, DnsResourceKey *soa) { -        if (soa->class != DNS_CLASS_IN) -                return 0; +int dns_answer_contains_rr(DnsAnswer *a, DnsResourceRecord *rr, DnsAnswerFlags *ret_flags) { +        DnsAnswerFlags flags = 0, i_flags; +        DnsResourceRecord *i; +        bool found = false; +        int r; -        if (soa->type != DNS_TYPE_SOA) -                return 0; +        assert(rr); -        if (!dns_name_endswith(DNS_RESOURCE_KEY_NAME(key), DNS_RESOURCE_KEY_NAME(soa))) -                return 0; +        DNS_ANSWER_FOREACH_FLAGS(i, i_flags, a) { +                r = dns_resource_record_equal(i, rr); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; -        return 1; +                if (!ret_flags) +                        return 1; + +                if (found) +                        flags &= i_flags; +                else { +                        flags = i_flags; +                        found = true; +                } +        } + +        if (ret_flags) +                *ret_flags = flags; + +        return found;  } -int dns_answer_find_soa(DnsAnswer *a, DnsResourceKey *key, DnsResourceRecord **ret) { -        unsigned i; +int dns_answer_contains_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *ret_flags) { +        DnsAnswerFlags flags = 0, i_flags; +        DnsResourceRecord *i; +        bool found = false; +        int r;          assert(key); -        assert(ret); -        if (!a) -                return 0; +        DNS_ANSWER_FOREACH_FLAGS(i, i_flags, a) { +                r = dns_resource_key_equal(i->key, key); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                if (!ret_flags) +                        return true; + +                if (found) +                        flags &= i_flags; +                else { +                        flags = i_flags; +                        found = true; +                } +        } + +        if (ret_flags) +                *ret_flags = flags; + +        return found; +} + +int dns_answer_contains_nsec_or_nsec3(DnsAnswer *a) { +        DnsResourceRecord *i; + +        DNS_ANSWER_FOREACH(i, a) { +                if (IN_SET(i->key->type, DNS_TYPE_NSEC, DNS_TYPE_NSEC3)) +                        return true; +        } + +        return false; +} + +int dns_answer_find_soa(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord **ret, DnsAnswerFlags *flags) { +        DnsResourceRecord *rr; +        DnsAnswerFlags rr_flags; +        int r; + +        assert(key);          /* For a SOA record we can never find a matching SOA record */          if (key->type == DNS_TYPE_SOA)                  return 0; -        for (i = 0; i < a->n_rrs; i++) { +        DNS_ANSWER_FOREACH_FLAGS(rr, rr_flags, a) { +                r = dns_resource_key_match_soa(key, rr->key); +                if (r < 0) +                        return r; +                if (r > 0) { +                        if (ret) +                                *ret = rr; +                        if (flags) +                                *flags = rr_flags; +                        return 1; +                } +        } + +        return 0; +} -                if (dns_answer_match_soa(key, a->items[i].rr->key)) { -                        *ret = a->items[i].rr; +int dns_answer_find_cname_or_dname(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord **ret, DnsAnswerFlags *flags) { +        DnsResourceRecord *rr; +        DnsAnswerFlags rr_flags; +        int r; + +        assert(key); + +        /* For a {C,D}NAME record we can never find a matching {C,D}NAME record */ +        if (key->type == DNS_TYPE_CNAME || key->type == DNS_TYPE_DNAME) +                return 0; + +        DNS_ANSWER_FOREACH_FLAGS(rr, rr_flags, a) { +                r = dns_resource_key_match_cname_or_dname(key, rr->key, NULL); +                if (r < 0) +                        return r; +                if (r > 0) { +                        if (ret) +                                *ret = rr; +                        if (flags) +                                *flags = rr_flags;                          return 1;                  }          } @@ -188,41 +356,185 @@ int dns_answer_find_soa(DnsAnswer *a, DnsResourceKey *key, DnsResourceRecord **r          return 0;  } -DnsAnswer *dns_answer_merge(DnsAnswer *a, DnsAnswer *b) { -        _cleanup_(dns_answer_unrefp) DnsAnswer *ret = NULL; -        DnsAnswer *k; +int dns_answer_merge(DnsAnswer *a, DnsAnswer *b, DnsAnswer **ret) { +        _cleanup_(dns_answer_unrefp) DnsAnswer *k = NULL; +        int r; + +        assert(ret); + +        if (dns_answer_size(a) <= 0) { +                *ret = dns_answer_ref(b); +                return 0; +        } + +        if (dns_answer_size(b) <= 0) { +                *ret = dns_answer_ref(a); +                return 0; +        } + +        k = dns_answer_new(a->n_rrs + b->n_rrs); +        if (!k) +                return -ENOMEM; + +        r = dns_answer_add_raw_all(k, a); +        if (r < 0) +                return r; + +        r = dns_answer_add_all(k, b); +        if (r < 0) +                return r; + +        *ret = k; +        k = NULL; + +        return 0; +} + +int dns_answer_extend(DnsAnswer **a, DnsAnswer *b) { +        DnsAnswer *merged; +        int r; + +        assert(a); + +        r = dns_answer_merge(*a, b, &merged); +        if (r < 0) +                return r; + +        dns_answer_unref(*a); +        *a = merged; + +        return 0; +} + +int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key) { +        bool found = false, other = false; +        DnsResourceRecord *rr;          unsigned i;          int r; -        if (a && (!b || b->n_rrs <= 0)) -                return dns_answer_ref(a); -        if ((!a || a->n_rrs <= 0) && b) -                return dns_answer_ref(b); +        assert(a); +        assert(key); -        ret = dns_answer_new((a ? a->n_rrs : 0) + (b ? b->n_rrs : 0)); -        if (!ret) -                return NULL; +        /* Remove all entries matching the specified key from *a */ -        if (a) { -                for (i = 0; i < a->n_rrs; i++) { -                        r = dns_answer_add(ret, a->items[i].rr, a->items[i].ifindex); -                        if (r < 0) -                                return NULL; -                } +        DNS_ANSWER_FOREACH(rr, *a) { +                r = dns_resource_key_equal(rr->key, key); +                if (r < 0) +                        return r; +                if (r > 0) +                        found = true; +                else +                        other = true; + +                if (found && other) +                        break;          } -        if (b) { -                for (i = 0; i < b->n_rrs; i++) { -                        r = dns_answer_add(ret, b->items[i].rr, b->items[i].ifindex); +        if (!found) +                return 0; + +        if (!other) { +                *a = dns_answer_unref(*a); /* Return NULL for the empty answer */ +                return 1; +        } + +        if ((*a)->n_ref > 1) { +                _cleanup_(dns_answer_unrefp) DnsAnswer *copy = NULL; +                DnsAnswerFlags flags; +                int ifindex; + +                copy = dns_answer_new((*a)->n_rrs); +                if (!copy) +                        return -ENOMEM; + +                DNS_ANSWER_FOREACH_FULL(rr, ifindex, flags, *a) { +                        r = dns_resource_key_equal(rr->key, key); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                continue; + +                        r = dns_answer_add_raw(copy, rr, ifindex, flags);                          if (r < 0) -                                return NULL; +                                return r;                  } + +                dns_answer_unref(*a); +                *a = copy; +                copy = NULL; + +                return 1;          } -        k = ret; -        ret = NULL; +        /* Only a single reference, edit in-place */ + +        i = 0; +        for (;;) { +                if (i >= (*a)->n_rrs) +                        break; + +                r = dns_resource_key_equal((*a)->items[i].rr->key, key); +                if (r < 0) +                        return r; +                if (r > 0) { +                        /* Kill this entry */ + +                        dns_resource_record_unref((*a)->items[i].rr); +                        memmove((*a)->items + i, (*a)->items + i + 1, sizeof(DnsAnswerItem) * ((*a)->n_rrs - i - 1)); +                        (*a)->n_rrs --; +                        continue; + +                } else +                        /* Keep this entry */ +                        i++; +        } -        return k; +        return 1; +} + +int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags) { +        DnsResourceRecord *rr_source; +        int ifindex_source, r; +        DnsAnswerFlags flags_source; + +        assert(a); +        assert(key); + +        /* Copy all RRs matching the specified key from source into *a */ + +        DNS_ANSWER_FOREACH_FULL(rr_source, ifindex_source, flags_source, source) { + +                r = dns_resource_key_equal(rr_source->key, key); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                /* Make space for at least one entry */ +                r = dns_answer_reserve_or_clone(a, 1); +                if (r < 0) +                        return r; + +                r = dns_answer_add(*a, rr_source, ifindex_source, flags_source|or_flags); +                if (r < 0) +                        return r; +        } + +        return 0; +} + +int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags) { +        int r; + +        assert(to); +        assert(from); +        assert(key); + +        r = dns_answer_copy_by_key(to, *from, key, or_flags); +        if (r < 0) +                return r; + +        return dns_answer_remove_by_key(from, key);  }  void dns_answer_order_by_scope(DnsAnswer *a, bool prefer_link_local) { @@ -261,6 +573,8 @@ void dns_answer_order_by_scope(DnsAnswer *a, bool prefer_link_local) {  int dns_answer_reserve(DnsAnswer **a, unsigned n_free) {          DnsAnswer *n; +        assert(a); +          if (n_free <= 0)                  return 0; @@ -275,6 +589,9 @@ int dns_answer_reserve(DnsAnswer **a, unsigned n_free) {                  if ((*a)->n_allocated >= ns)                          return 0; +                /* Allocate more than we need */ +                ns *= 2; +                  n = realloc(*a, offsetof(DnsAnswer, items) + sizeof(DnsAnswerItem) * ns);                  if (!n)                          return -ENOMEM; @@ -289,3 +606,73 @@ int dns_answer_reserve(DnsAnswer **a, unsigned n_free) {          *a = n;          return 0;  } + +int dns_answer_reserve_or_clone(DnsAnswer **a, unsigned n_free) { +        _cleanup_(dns_answer_unrefp) DnsAnswer *n = NULL; +        int r; + +        assert(a); + +        /* Tries to extend the DnsAnswer object. And if that's not +         * possibly, since we are not the sole owner, then allocate a +         * new, appropriately sized one. Either way, after this call +         * the object will only have a single reference, and has room +         * for at least the specified number of RRs. */ + +        r = dns_answer_reserve(a, n_free); +        if (r != -EBUSY) +                return r; + +        assert(*a); + +        n = dns_answer_new(((*a)->n_rrs + n_free) * 2); +        if (!n) +                return -ENOMEM; + +        r = dns_answer_add_raw_all(n, *a); +        if (r < 0) +                return r; + +        dns_answer_unref(*a); +        *a = n; +        n = NULL; + +        return 0; +} + +void dns_answer_dump(DnsAnswer *answer, FILE *f) { +        DnsResourceRecord *rr; +        DnsAnswerFlags flags; +        int ifindex, r; + +        if (!f) +                f = stdout; + +        DNS_ANSWER_FOREACH_FULL(rr, ifindex, flags, answer) { +                _cleanup_free_ char *t = NULL; + +                fputc('\t', f); + +                r = dns_resource_record_to_string(rr, &t); +                if (r < 0) { +                        log_oom(); +                        continue; +                } + +                fputs(t, f); + +                if (ifindex != 0 || flags & (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE|DNS_ANSWER_SHARED_OWNER)) +                        fputs("\t;", f); + +                if (ifindex != 0) +                        printf(" ifindex=%i", ifindex); +                if (flags & DNS_ANSWER_AUTHENTICATED) +                        fputs(" authenticated", f); +                if (flags & DNS_ANSWER_CACHEABLE) +                        fputs(" cachable", f); +                if (flags & DNS_ANSWER_SHARED_OWNER) +                        fputs(" shared-owner", f); + +                fputc('\n', f); +        } +} diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h index 89c254b02e..28ded3b252 100644 --- a/src/resolve/resolved-dns-answer.h +++ b/src/resolve/resolved-dns-answer.h @@ -30,11 +30,20 @@ typedef struct DnsAnswerItem DnsAnswerItem;  /* A simple array of resource records. We keep track of the   * originating ifindex for each RR where that makes sense, so that we   * can qualify A and AAAA RRs referring to a local link with the - * right ifindex. */ + * right ifindex. + * + * Note that we usually encode the the empty DnsAnswer object as a simple NULL. */ + +typedef enum DnsAnswerFlags { +        DNS_ANSWER_AUTHENTICATED = 1, /* Item has been authenticated */ +        DNS_ANSWER_CACHEABLE     = 2, /* Item is subject to caching */ +        DNS_ANSWER_SHARED_OWNER  = 4, /* For mDNS: RRset may be owner by multiple peers */ +} DnsAnswerFlags;  struct DnsAnswerItem {          DnsResourceRecord *rr;          int ifindex; +        DnsAnswerFlags flags;  };  struct DnsAnswer { @@ -47,16 +56,35 @@ DnsAnswer *dns_answer_new(unsigned n);  DnsAnswer *dns_answer_ref(DnsAnswer *a);  DnsAnswer *dns_answer_unref(DnsAnswer *a); -int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex); +int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); +int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags);  int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl); -int dns_answer_contains(DnsAnswer *a, DnsResourceKey *key); -int dns_answer_match_soa(DnsResourceKey *key, DnsResourceKey *soa); -int dns_answer_find_soa(DnsAnswer *a, DnsResourceKey *key, DnsResourceRecord **ret); -DnsAnswer *dns_answer_merge(DnsAnswer *a, DnsAnswer *b); +int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags); +int dns_answer_contains_rr(DnsAnswer *a, DnsResourceRecord *rr, DnsAnswerFlags *combined_flags); +int dns_answer_contains_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags); +int dns_answer_contains_nsec_or_nsec3(DnsAnswer *a); + +int dns_answer_find_soa(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord **ret, DnsAnswerFlags *flags); +int dns_answer_find_cname_or_dname(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord **ret, DnsAnswerFlags *flags); + +int dns_answer_merge(DnsAnswer *a, DnsAnswer *b, DnsAnswer **ret); +int dns_answer_extend(DnsAnswer **a, DnsAnswer *b); +  void dns_answer_order_by_scope(DnsAnswer *a, bool prefer_link_local);  int dns_answer_reserve(DnsAnswer **a, unsigned n_free); +int dns_answer_reserve_or_clone(DnsAnswer **a, unsigned n_free); + +int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key); +int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags); +int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags); + +static inline unsigned dns_answer_size(DnsAnswer *a) { +        return a ? a->n_rrs : 0; +} + +void dns_answer_dump(DnsAnswer *answer, FILE *f);  DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref); @@ -70,13 +98,43 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref);  #define DNS_ANSWER_FOREACH(kk, a) _DNS_ANSWER_FOREACH(UNIQ, kk, a) -#define _DNS_ANSWER_FOREACH_IFINDEX(q, kk, ifindex, a)                  \ +#define _DNS_ANSWER_FOREACH_IFINDEX(q, kk, ifi, a)                      \          for (unsigned UNIQ_T(i, q) = ({                                 \                                  (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ -                                (ifindex) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].ifindex : 0; \ +                                (ifi) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].ifindex : 0; \                                  0;                                      \                          });                                             \               (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ -             UNIQ_T(i, q)++, (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), (ifindex) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].ifindex : 0)) +             UNIQ_T(i, q)++,                                            \ +                     (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), \ +                     (ifi) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].ifindex : 0))  #define DNS_ANSWER_FOREACH_IFINDEX(kk, ifindex, a) _DNS_ANSWER_FOREACH_IFINDEX(UNIQ, kk, ifindex, a) + +#define _DNS_ANSWER_FOREACH_FLAGS(q, kk, fl, a)                         \ +        for (unsigned UNIQ_T(i, q) = ({                                 \ +                                (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ +                                (fl) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].flags : 0; \ +                                0;                                      \ +                        });                                             \ +             (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ +             UNIQ_T(i, q)++,                                            \ +                     (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), \ +                     (fl) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].flags : 0)) + +#define DNS_ANSWER_FOREACH_FLAGS(kk, flags, a) _DNS_ANSWER_FOREACH_FLAGS(UNIQ, kk, flags, a) + +#define _DNS_ANSWER_FOREACH_FULL(q, kk, ifi, fl, a)                     \ +        for (unsigned UNIQ_T(i, q) = ({                                 \ +                                (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ +                                (ifi) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].ifindex : 0; \ +                                (fl) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].flags : 0; \ +                                0;                                      \ +                        });                                             \ +             (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ +             UNIQ_T(i, q)++,                                            \ +                     (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), \ +                     (ifi) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].ifindex : 0), \ +                     (fl) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].flags : 0)) + +#define DNS_ANSWER_FOREACH_FULL(kk, ifindex, flags, a) _DNS_ANSWER_FOREACH_FULL(UNIQ, kk, ifindex, flags, a) diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c index bcb9994a8c..f50d780ebb 100644 --- a/src/resolve/resolved-dns-cache.c +++ b/src/resolve/resolved-dns-cache.c @@ -21,15 +21,16 @@  #include "alloc-util.h"  #include "dns-domain.h" +#include "resolved-dns-answer.h"  #include "resolved-dns-cache.h"  #include "resolved-dns-packet.h"  #include "string-util.h" -/* Never cache more than 1K entries */ -#define CACHE_MAX 1024 +/* Never cache more than 4K entries */ +#define CACHE_MAX 4096 -/* We never keep any item longer than 10min in our cache */ -#define CACHE_TTL_MAX_USEC (10 * USEC_PER_MINUTE) +/* We never keep any item longer than 2h in our cache */ +#define CACHE_TTL_MAX_USEC (2 * USEC_PER_HOUR)  typedef enum DnsCacheItemType DnsCacheItemType;  typedef struct DnsCacheItem DnsCacheItem; @@ -41,14 +42,18 @@ enum DnsCacheItemType {  };  struct DnsCacheItem { +        DnsCacheItemType type;          DnsResourceKey *key;          DnsResourceRecord *rr; +          usec_t until; -        DnsCacheItemType type; -        unsigned prioq_idx; -        bool authenticated; +        bool authenticated:1; +        bool shared_owner:1; +          int owner_family;          union in_addr_union owner_address; + +        unsigned prioq_idx;          LIST_FIELDS(DnsCacheItem, by_key);  }; @@ -63,7 +68,7 @@ static void dns_cache_item_free(DnsCacheItem *i) {  DEFINE_TRIVIAL_CLEANUP_FUNC(DnsCacheItem*, dns_cache_item_free); -static void dns_cache_item_remove_and_free(DnsCache *c, DnsCacheItem *i) { +static void dns_cache_item_unlink_and_free(DnsCache *c, DnsCacheItem *i) {          DnsCacheItem *first;          assert(c); @@ -84,34 +89,55 @@ static void dns_cache_item_remove_and_free(DnsCache *c, DnsCacheItem *i) {          dns_cache_item_free(i);  } -void dns_cache_flush(DnsCache *c) { -        DnsCacheItem *i; +static bool dns_cache_remove_by_rr(DnsCache *c, DnsResourceRecord *rr) { +        DnsCacheItem *first, *i; +        int r; + +        first = hashmap_get(c->by_key, rr->key); +        LIST_FOREACH(by_key, i, first) { +                r = dns_resource_record_equal(i->rr, rr); +                if (r < 0) +                        return r; +                if (r > 0) { +                        dns_cache_item_unlink_and_free(c, i); +                        return true; +                } +        } + +        return false; +} + +static bool dns_cache_remove_by_key(DnsCache *c, DnsResourceKey *key) { +        DnsCacheItem *first, *i, *n;          assert(c); +        assert(key); -        while ((i = hashmap_first(c->by_key))) -                dns_cache_item_remove_and_free(c, i); +        first = hashmap_remove(c->by_key, key); +        if (!first) +                return false; -        assert(hashmap_size(c->by_key) == 0); -        assert(prioq_size(c->by_expiry) == 0); +        LIST_FOREACH_SAFE(by_key, i, n, first) { +                prioq_remove(c->by_expiry, i, &i->prioq_idx); +                dns_cache_item_free(i); +        } -        c->by_key = hashmap_free(c->by_key); -        c->by_expiry = prioq_free(c->by_expiry); +        return true;  } -static bool dns_cache_remove(DnsCache *c, DnsResourceKey *key) { -        DnsCacheItem *i; -        bool exist = false; +void dns_cache_flush(DnsCache *c) { +        DnsResourceKey *key;          assert(c); -        assert(key); -        while ((i = hashmap_get(c->by_key, key))) { -                dns_cache_item_remove_and_free(c, i); -                exist = true; -        } +        while ((key = hashmap_first_key(c->by_key))) +                dns_cache_remove_by_key(c, key); -        return exist; +        assert(hashmap_size(c->by_key) == 0); +        assert(prioq_size(c->by_expiry) == 0); + +        c->by_key = hashmap_free(c->by_key); +        c->by_expiry = prioq_free(c->by_expiry);  }  static void dns_cache_make_space(DnsCache *c, unsigned add) { @@ -141,7 +167,7 @@ static void dns_cache_make_space(DnsCache *c, unsigned add) {                  /* Take an extra reference to the key so that it                   * doesn't go away in the middle of the remove call */                  key = dns_resource_key_ref(i->key); -                dns_cache_remove(c, key); +                dns_cache_remove_by_key(c, key);          }  } @@ -153,7 +179,6 @@ void dns_cache_prune(DnsCache *c) {          /* Remove all entries that are past their TTL */          for (;;) { -                _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;                  DnsCacheItem *i;                  i = prioq_peek(c->by_expiry); @@ -166,10 +191,19 @@ void dns_cache_prune(DnsCache *c) {                  if (i->until > t)                          break; -                /* Take an extra reference to the key so that it -                 * doesn't go away in the middle of the remove call */ -                key = dns_resource_key_ref(i->key); -                dns_cache_remove(c, key); +                /* Depending whether this is an mDNS shared entry +                 * either remove only this one RR or the whole +                 * RRset */ +                if (i->shared_owner) +                        dns_cache_item_unlink_and_free(c, i); +                else { +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; + +                        /* Take an extra reference to the key so that it +                         * doesn't go away in the middle of the remove call */ +                        key = dns_resource_key_ref(i->key); +                        dns_cache_remove_by_key(c, key); +                }          }  } @@ -238,10 +272,20 @@ static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) {          return NULL;  } -static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsResourceRecord *rr, bool authenticated, usec_t timestamp) { +static void dns_cache_item_update_positive( +                DnsCache *c, +                DnsCacheItem *i, +                DnsResourceRecord *rr, +                bool authenticated, +                bool shared_owner, +                usec_t timestamp, +                int owner_family, +                const union in_addr_union *owner_address) { +          assert(c);          assert(i);          assert(rr); +        assert(owner_address);          i->type = DNS_CACHE_POSITIVE; @@ -258,8 +302,12 @@ static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsReso          dns_resource_key_unref(i->key);          i->key = dns_resource_key_ref(rr->key); -        i->authenticated = authenticated;          i->until = timestamp + MIN(rr->ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC); +        i->authenticated = authenticated; +        i->shared_owner = shared_owner; + +        i->owner_family = owner_family; +        i->owner_address = *owner_address;          prioq_reshuffle(c->by_expiry, i, &i->prioq_idx);  } @@ -268,6 +316,7 @@ static int dns_cache_put_positive(                  DnsCache *c,                  DnsResourceRecord *rr,                  bool authenticated, +                bool shared_owner,                  usec_t timestamp,                  int owner_family,                  const union in_addr_union *owner_address) { @@ -275,35 +324,48 @@ static int dns_cache_put_positive(          _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL;          _cleanup_free_ char *key_str = NULL;          DnsCacheItem *existing; -        int r; +        int r, k;          assert(c);          assert(rr);          assert(owner_address); -        /* New TTL is 0? Delete the entry... */ +        /* Never cache pseudo RRs */ +        if (dns_class_is_pseudo(rr->key->class)) +                return 0; +        if (dns_type_is_pseudo(rr->key->type)) +                return 0; + +        /* New TTL is 0? Delete this specific entry... */          if (rr->ttl <= 0) { -                r = dns_resource_key_to_string(rr->key, &key_str); -                if (r < 0) -                        return r; +                k = dns_cache_remove_by_rr(c, rr); -                if (dns_cache_remove(c, rr->key)) -                        log_debug("Removed zero TTL entry from cache: %s", key_str); -                else -                        log_debug("Not caching zero TTL cache entry: %s", key_str); +                if (log_get_max_level() >= LOG_DEBUG) { +                        r = dns_resource_key_to_string(rr->key, &key_str); +                        if (r < 0) +                                return r; -                return 0; -        } +                        if (k > 0) +                                log_debug("Removed zero TTL entry from cache: %s", key_str); +                        else +                                log_debug("Not caching zero TTL cache entry: %s", key_str); +                } -        if (rr->key->class == DNS_CLASS_ANY) -                return 0; -        if (rr->key->type == DNS_TYPE_ANY)                  return 0; +        } -        /* Entry exists already? Update TTL and timestamp */ +        /* Entry exists already? Update TTL, timestamp and owner*/          existing = dns_cache_get(c, rr);          if (existing) { -                dns_cache_item_update_positive(c, existing, rr, authenticated, timestamp); +                dns_cache_item_update_positive( +                                c, +                                existing, +                                rr, +                                authenticated, +                                shared_owner, +                                timestamp, +                                owner_family, +                                owner_address);                  return 0;          } @@ -322,20 +384,23 @@ static int dns_cache_put_positive(          i->key = dns_resource_key_ref(rr->key);          i->rr = dns_resource_record_ref(rr);          i->until = timestamp + MIN(i->rr->ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC); -        i->prioq_idx = PRIOQ_IDX_NULL; +        i->authenticated = authenticated; +        i->shared_owner = shared_owner;          i->owner_family = owner_family;          i->owner_address = *owner_address; -        i->authenticated = authenticated; +        i->prioq_idx = PRIOQ_IDX_NULL;          r = dns_cache_link_item(c, i);          if (r < 0)                  return r; -        r = dns_resource_key_to_string(i->key, &key_str); -        if (r < 0) -                return r; +        if (log_get_max_level() >= LOG_DEBUG) { +                r = dns_resource_key_to_string(i->key, &key_str); +                if (r < 0) +                        return r; -        log_debug("Added cache entry for %s", key_str); +                log_debug("Added positive cache entry for %s", key_str); +        }          i = NULL;          return 0; @@ -359,18 +424,22 @@ static int dns_cache_put_negative(          assert(key);          assert(owner_address); -        dns_cache_remove(c, key); - -        if (key->class == DNS_CLASS_ANY) +        /* Never cache pseudo RR keys. DNS_TYPE_ANY is particularly +         * important to filter out as we use this as a pseudo-type for +         * NXDOMAIN entries */ +        if (dns_class_is_pseudo(key->class))                  return 0; -        if (key->type == DNS_TYPE_ANY) +        if (dns_type_is_pseudo(key->type))                  return 0; +          if (soa_ttl <= 0) { -                r = dns_resource_key_to_string(key, &key_str); -                if (r < 0) -                        return r; +                if (log_get_max_level() >= LOG_DEBUG) { +                        r = dns_resource_key_to_string(key, &key_str); +                        if (r < 0) +                                return r; -                log_debug("Not caching negative entry with zero SOA TTL: %s", key_str); +                        log_debug("Not caching negative entry with zero SOA TTL: %s", key_str); +                }                  return 0;          } @@ -389,65 +458,108 @@ static int dns_cache_put_negative(                  return -ENOMEM;          i->type = rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA : DNS_CACHE_NXDOMAIN; -        i->key = dns_resource_key_ref(key);          i->until = timestamp + MIN(soa_ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC); -        i->prioq_idx = PRIOQ_IDX_NULL; +        i->authenticated = authenticated;          i->owner_family = owner_family;          i->owner_address = *owner_address; -        i->authenticated = authenticated; +        i->prioq_idx = PRIOQ_IDX_NULL; + +        if (i->type == DNS_CACHE_NXDOMAIN) { +                /* NXDOMAIN entries should apply equally to all types, so we use ANY as +                 * a pseudo type for this purpose here. */ +                i->key = dns_resource_key_new(key->class, DNS_TYPE_ANY, DNS_RESOURCE_KEY_NAME(key)); +                if (!i->key) +                        return -ENOMEM; +        } else +                i->key = dns_resource_key_ref(key);          r = dns_cache_link_item(c, i);          if (r < 0)                  return r; -        r = dns_resource_key_to_string(i->key, &key_str); -        if (r < 0) -                return r; +        if (log_get_max_level() >= LOG_DEBUG) { +                r = dns_resource_key_to_string(i->key, &key_str); +                if (r < 0) +                        return r; -        log_debug("Added %s cache entry for %s", i->type == DNS_CACHE_NODATA ? "NODATA" : "NXDOMAIN", key_str); +                log_debug("Added %s cache entry for %s", i->type == DNS_CACHE_NODATA ? "NODATA" : "NXDOMAIN", key_str); +        }          i = NULL;          return 0;  } +static void dns_cache_remove_previous( +                DnsCache *c, +                DnsResourceKey *key, +                DnsAnswer *answer) { + +        DnsResourceRecord *rr; +        DnsAnswerFlags flags; + +        assert(c); + +        /* First, if we were passed a key (i.e. on LLMNR/DNS, but +         * not on mDNS), delete all matching old RRs, so that we only +         * keep complete by_key in place. */ +        if (key) +                dns_cache_remove_by_key(c, key); + +        /* Second, flush all entries matching the answer, unless this +         * is an RR that is explicitly marked to be "shared" between +         * peers (i.e. mDNS RRs without the flush-cache bit set). */ +        DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { +                if ((flags & DNS_ANSWER_CACHEABLE) == 0) +                        continue; + +                if (flags & DNS_ANSWER_SHARED_OWNER) +                        continue; + +                dns_cache_remove_by_key(c, rr->key); +        } +} +  int dns_cache_put(                  DnsCache *c,                  DnsResourceKey *key,                  int rcode,                  DnsAnswer *answer, -                unsigned max_rrs,                  bool authenticated,                  usec_t timestamp,                  int owner_family,                  const union in_addr_union *owner_address) { -        DnsResourceRecord *soa = NULL; -        unsigned cache_keys, i; +        DnsResourceRecord *soa = NULL, *rr; +        DnsAnswerFlags flags; +        unsigned cache_keys;          int r;          assert(c); +        assert(owner_address); -        if (key) { -                /* First, if we were passed a key, delete all matching old RRs, -                 * so that we only keep complete by_key in place. */ -                dns_cache_remove(c, key); -        } +        dns_cache_remove_previous(c, key, answer); -        if (!answer) -                return 0; +        if (dns_answer_size(answer) <= 0) { +                if (log_get_max_level() >= LOG_DEBUG) { +                        _cleanup_free_ char *key_str = NULL; -        for (i = 0; i < answer->n_rrs; i++) -                dns_cache_remove(c, answer->items[i].rr->key); +                        r = dns_resource_key_to_string(key, &key_str); +                        if (r < 0) +                                return r; + +                        log_debug("Not caching negative entry without a SOA record: %s", key_str); +                } + +                return 0; +        }          /* We only care for positive replies and NXDOMAINs, on all           * other replies we will simply flush the respective entries,           * and that's it */ -          if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))                  return 0; -        cache_keys = answer->n_rrs; - +        cache_keys = dns_answer_size(answer);          if (key)                  cache_keys ++; @@ -458,58 +570,63 @@ int dns_cache_put(                  timestamp = now(clock_boottime_or_monotonic());          /* Second, add in positive entries for all contained RRs */ -        for (i = 0; i < MIN(max_rrs, answer->n_rrs); i++) { -                r = dns_cache_put_positive(c, answer->items[i].rr, authenticated, timestamp, owner_family, owner_address); +        DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { +                if ((flags & DNS_ANSWER_CACHEABLE) == 0) +                        continue; + +                r = dns_cache_put_positive( +                                c, +                                rr, +                                flags & DNS_ANSWER_AUTHENTICATED, +                                flags & DNS_ANSWER_SHARED_OWNER, +                                timestamp, +                                owner_family, owner_address);                  if (r < 0)                          goto fail;          } -        if (!key) +        if (!key) /* mDNS doesn't know negative caching, really */                  return 0;          /* Third, add in negative entries if the key has no RR */ -        r = dns_answer_contains(answer, key); +        r = dns_answer_match_key(answer, key, NULL);          if (r < 0)                  goto fail;          if (r > 0)                  return 0; -        /* See https://tools.ietf.org/html/rfc2308, which -         * say that a matching SOA record in the packet -         * is used to to enable negative caching. */ - -        r = dns_answer_find_soa(answer, key, &soa); +        /* But not if it has a matching CNAME/DNAME (the negative +         * caching will be done on the canonical name, not on the +         * alias) */ +        r = dns_answer_find_cname_or_dname(answer, key, NULL, NULL);          if (r < 0)                  goto fail; -        if (r == 0) +        if (r > 0)                  return 0; -        /* Also, if the requested key is an alias, the negative response should -           be cached for each name in the redirect chain. Any CNAME record in -           the response is from the redirection chain, though only the final one -           is guaranteed to be included. This means that we cannot verify the -           chain and that we need to cache them all as it may be incomplete. */ -        for (i = 0; i < answer->n_rrs; i++) { -                DnsResourceRecord *answer_rr = answer->items[i].rr; - -                if (answer_rr->key->type == DNS_TYPE_CNAME) { -                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *canonical_key = NULL; +        /* See https://tools.ietf.org/html/rfc2308, which say that a +         * matching SOA record in the packet is used to to enable +         * negative caching. */ -                        canonical_key = dns_resource_key_new_redirect(key, answer_rr); -                        if (!canonical_key) -                                goto fail; - -                        /* Let's not add negative cache entries for records outside the current zone. */ -                        if (!dns_answer_match_soa(canonical_key, soa->key)) -                                continue; +        r = dns_answer_find_soa(answer, key, &soa, &flags); +        if (r < 0) +                goto fail; +        if (r == 0) +                return 0; -                        r = dns_cache_put_negative(c, canonical_key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address); -                        if (r < 0) -                                goto fail; -                } -        } +        /* Refuse using the SOA data if it is unsigned, but the key is +         * signed */ +        if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0) +                return 0; -        r = dns_cache_put_negative(c, key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address); +        r = dns_cache_put_negative( +                        c, +                        key, +                        rcode, +                        authenticated, +                        timestamp, +                        MIN(soa->soa.minimum, soa->ttl), +                        owner_family, owner_address);          if (r < 0)                  goto fail; @@ -520,10 +637,14 @@ fail:           * added, just in case */          if (key) -                dns_cache_remove(c, key); +                dns_cache_remove_by_key(c, key); -        for (i = 0; i < answer->n_rrs; i++) -                dns_cache_remove(c, answer->items[i].rr->key); +        DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { +                if ((flags & DNS_ANSWER_CACHEABLE) == 0) +                        continue; + +                dns_cache_remove_by_key(c, rr->key); +        }          return r;  } @@ -540,36 +661,48 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, D           * much, after all this is just a cache */          i = hashmap_get(c->by_key, k); -        if (i || IN_SET(k->type, DNS_TYPE_CNAME, DNS_TYPE_DNAME, DNS_TYPE_NSEC)) +        if (i)                  return i;          n = DNS_RESOURCE_KEY_NAME(k); -        /* Check if we have an NSEC record instead for the name. */ -        i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_NSEC, n)); -        if (i) +        /* Check if we have an NXDOMAIN cache item for the name, notice that we use +         * the pseudo-type ANY for NXDOMAIN cache items. */ +        i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_ANY, n)); +        if (i && i->type == DNS_CACHE_NXDOMAIN)                  return i; -        /* Check if we have a CNAME record instead */ -        i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n)); -        if (i) -                return i; +        /* The following record types should never be redirected. See +         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */ +        if (!IN_SET(k->type, DNS_TYPE_CNAME, DNS_TYPE_DNAME, +                            DNS_TYPE_NSEC3, DNS_TYPE_NSEC, DNS_TYPE_RRSIG, +                            DNS_TYPE_NXT, DNS_TYPE_SIG, DNS_TYPE_KEY)) { +                /* Check if we have a CNAME record instead */ +                i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n)); +                if (i) +                        return i; -        /* OK, let's look for cached DNAME records. */ -        for (;;) { -                char label[DNS_LABEL_MAX]; +                /* OK, let's look for cached DNAME records. */ +                for (;;) { +                        if (isempty(n)) +                                return NULL; -                if (isempty(n)) -                        return NULL; +                        i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n)); +                        if (i) +                                return i; + +                        /* Jump one label ahead */ +                        r = dns_name_parent(&n); +                        if (r <= 0) +                                return NULL; +                } +        } -                i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n)); +        if (k->type != DNS_TYPE_NSEC) { +                /* Check if we have an NSEC record instead for the name. */ +                i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_NSEC, n));                  if (i)                          return i; - -                /* Jump one label ahead */ -                r = dns_label_unescape(&n, label, sizeof(label)); -                if (r <= 0) -                        return NULL;          }          return NULL; @@ -596,11 +729,13 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r                  /* If we have ANY lookups we don't use the cache, so                   * that the caller refreshes via the network. */ -                r = dns_resource_key_to_string(key, &key_str); -                if (r < 0) -                        return r; +                if (log_get_max_level() >= LOG_DEBUG) { +                        r = dns_resource_key_to_string(key, &key_str); +                        if (r < 0) +                                return r; -                log_debug("Ignoring cache for ANY lookup: %s", key_str); +                        log_debug("Ignoring cache for ANY lookup: %s", key_str); +                }                  *ret = NULL;                  *rcode = DNS_RCODE_SUCCESS; @@ -611,11 +746,13 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r          if (!first) {                  /* If one question cannot be answered we need to refresh */ -                r = dns_resource_key_to_string(key, &key_str); -                if (r < 0) -                        return r; +                if (log_get_max_level() >= LOG_DEBUG) { +                        r = dns_resource_key_to_string(key, &key_str); +                        if (r < 0) +                                return r; -                log_debug("Cache miss for %s", key_str); +                        log_debug("Cache miss for %s", key_str); +                }                  *ret = NULL;                  *rcode = DNS_RCODE_SUCCESS; @@ -637,15 +774,17 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r                          have_non_authenticated = true;          } -        r = dns_resource_key_to_string(key, &key_str); -        if (r < 0) -                return r; -          if (nsec && key->type != DNS_TYPE_NSEC) { -                log_debug("NSEC NODATA cache hit for %s", key_str); +                if (log_get_max_level() >= LOG_DEBUG) { +                        r = dns_resource_key_to_string(key, &key_str); +                        if (r < 0) +                                return r; + +                        log_debug("NSEC NODATA cache hit for %s", key_str); +                }                  /* We only found an NSEC record that matches our name. -                 * If it says the type doesn't exit report +                 * If it says the type doesn't exist report                   * NODATA. Otherwise report a cache miss. */                  *ret = NULL; @@ -657,10 +796,16 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r                         !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_DNAME);          } -        log_debug("%s cache hit for %s", -                  n > 0    ? "Positive" : -                  nxdomain ? "NXDOMAIN" : "NODATA", -                  key_str); +        if (log_get_max_level() >= LOG_DEBUG) { +                r = dns_resource_key_to_string(key, &key_str); +                if (r < 0) +                        return r; + +                log_debug("%s cache hit for %s", +                          n > 0    ? "Positive" : +                          nxdomain ? "NXDOMAIN" : "NODATA", +                          key_str); +        }          if (n <= 0) {                  *ret = NULL; @@ -677,7 +822,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r                  if (!j->rr)                          continue; -                r = dns_answer_add(answer, j->rr, 0); +                r = dns_answer_add(answer, j->rr, 0, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);                  if (r < 0)                          return r;          } @@ -726,6 +871,55 @@ int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_          return 1;  } +int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p) { +        unsigned ancount = 0; +        Iterator iterator; +        DnsCacheItem *i; +        int r; + +        assert(cache); +        assert(p); + +        HASHMAP_FOREACH(i, cache->by_key, iterator) { +                DnsCacheItem *j; + +                LIST_FOREACH(by_key, j, i) { +                        if (!j->rr) +                                continue; + +                        if (!j->shared_owner) +                                continue; + +                        r = dns_packet_append_rr(p, j->rr, NULL, NULL); +                        if (r == -EMSGSIZE && p->protocol == DNS_PROTOCOL_MDNS) { +                                /* For mDNS, if we're unable to stuff all known answers into the given packet, +                                 * allocate a new one, push the RR into that one and link it to the current one. +                                 */ + +                                DNS_PACKET_HEADER(p)->ancount = htobe16(ancount); +                                ancount = 0; + +                                r = dns_packet_new_query(&p->more, p->protocol, 0, true); +                                if (r < 0) +                                        return r; + +                                /* continue with new packet */ +                                p = p->more; +                                r = dns_packet_append_rr(p, j->rr, NULL, NULL); +                        } + +                        if (r < 0) +                                return r; + +                        ancount ++; +                } +        } + +        DNS_PACKET_HEADER(p)->ancount = htobe16(ancount); + +        return 0; +} +  void dns_cache_dump(DnsCache *cache, FILE *f) {          Iterator iterator;          DnsCacheItem *i; diff --git a/src/resolve/resolved-dns-cache.h b/src/resolve/resolved-dns-cache.h index 5f91164785..856c975299 100644 --- a/src/resolve/resolved-dns-cache.h +++ b/src/resolve/resolved-dns-cache.h @@ -32,16 +32,19 @@ typedef struct DnsCache {  } DnsCache;  #include "resolved-dns-answer.h" +#include "resolved-dns-packet.h"  #include "resolved-dns-question.h"  #include "resolved-dns-rr.h"  void dns_cache_flush(DnsCache *c);  void dns_cache_prune(DnsCache *c); -int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, unsigned max_rrs, bool authenticated, usec_t timestamp, int owner_family, const union in_addr_union *owner_address); +int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, bool authenticated, usec_t timestamp, int owner_family, const union in_addr_union *owner_address);  int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **answer, bool *authenticated);  int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address);  void dns_cache_dump(DnsCache *cache, FILE *f);  bool dns_cache_is_empty(DnsCache *cache); + +int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p); diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 2d06775dca..814cb1c0f9 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -23,6 +23,7 @@  #include "alloc-util.h"  #include "dns-domain.h" +#include "hexdecoct.h"  #include "resolved-dns-dnssec.h"  #include "resolved-dns-packet.h"  #include "string-table.h" @@ -34,14 +35,13 @@   *   * TODO:   * - *   - Iterative validation - *   - NSEC proof of non-existance - *   - NSEC3 proof of non-existance   *   - Make trust anchor store read additional DS+DNSKEY data from disk   *   - wildcard zones compatibility   *   - multi-label zone compatibility - *   - DMSSEC cname/dname compatibility + *   - cname/dname compatibility   *   - per-interface DNSSEC setting + *   - fix TTL for cache entries to match RRSIG TTL + *   - retry on failed validation?   *   - DSA support   *   - EC support?   * @@ -64,6 +64,19 @@   *            Normal RR → RRSIG/DNSKEY+ → DS → RRSIG/DNSKEY+ → DS → ... → DS → RRSIG/DNSKEY+ → DS   */ +static void initialize_libgcrypt(void) { +        const char *p; + +        if (gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) +                return; + +        p = gcry_check_version("1.4.5"); +        assert(p); + +        gcry_control(GCRYCTL_DISABLE_SECMEM); +        gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +} +  static bool dnssec_algorithm_supported(int algorithm) {          return IN_SET(algorithm,                        DNSSEC_ALGORITHM_RSASHA1, @@ -72,12 +85,6 @@ static bool dnssec_algorithm_supported(int algorithm) {                        DNSSEC_ALGORITHM_RSASHA512);  } -static bool dnssec_digest_supported(int digest) { -        return IN_SET(digest, -                      DNSSEC_DIGEST_SHA1, -                      DNSSEC_DIGEST_SHA256); -} -  uint16_t dnssec_keytag(DnsResourceRecord *dnskey) {          const uint8_t *p;          uint32_t sum; @@ -193,11 +200,12 @@ static int dnssec_rsa_verify(          }          ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp); -        if (ge == GPG_ERR_BAD_SIGNATURE) +        if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE)                  r = 0; -        else if (ge != 0) +        else if (ge != 0) { +                log_debug("RSA signature check failed: %s", gpg_strerror(ge));                  r = -EIO; -        else +        } else                  r = 1;  finish: @@ -272,7 +280,8 @@ int dnssec_verify_rrset(                  DnsResourceKey *key,                  DnsResourceRecord *rrsig,                  DnsResourceRecord *dnskey, -                usec_t realtime) { +                usec_t realtime, +                DnssecResult *result) {          uint8_t wire_format_name[DNS_WIRE_FOMAT_HOSTNAME_MAX];          size_t exponent_size, modulus_size, hash_size; @@ -285,6 +294,7 @@ int dnssec_verify_rrset(          assert(key);          assert(rrsig);          assert(dnskey); +        assert(result);          assert(rrsig->key->type == DNS_TYPE_RRSIG);          assert(dnskey->key->type == DNS_TYPE_DNSKEY); @@ -292,8 +302,10 @@ int dnssec_verify_rrset(           * using the signature "rrsig" and the key "dnskey". It's           * assumed the RRSIG and DNSKEY match. */ -        if (!dnssec_algorithm_supported(rrsig->rrsig.algorithm)) -                return -EOPNOTSUPP; +        if (!dnssec_algorithm_supported(rrsig->rrsig.algorithm)) { +                *result = DNSSEC_UNSUPPORTED_ALGORITHM; +                return 0; +        }          if (a->n_rrs > VERIFY_RRS_MAX)                  return -E2BIG; @@ -301,8 +313,10 @@ int dnssec_verify_rrset(          r = dnssec_rrsig_expired(rrsig, realtime);          if (r < 0)                  return r; -        if (r > 0) -                return DNSSEC_SIGNATURE_EXPIRED; +        if (r > 0) { +                *result = DNSSEC_SIGNATURE_EXPIRED; +                return 0; +        }          /* Collect all relevant RRs in a single array, so that we can look at the RRset */          list = newa(DnsResourceRecord *, a->n_rrs); @@ -326,7 +340,9 @@ int dnssec_verify_rrset(                  return -ENODATA;          /* Bring the RRs into canonical order */ -        qsort_safe(list, n, sizeof(DnsResourceRecord), rr_compare); +        qsort_safe(list, n, sizeof(DnsResourceRecord*), rr_compare); + +        initialize_libgcrypt();          /* OK, the RRs are now in canonical order. Let's calculate the digest */          switch (rrsig->rrsig.algorithm) { @@ -444,7 +460,8 @@ int dnssec_verify_rrset(          if (r < 0)                  goto finish; -        r = r ? DNSSEC_VERIFIED : DNSSEC_INVALID; +        *result = r ? DNSSEC_VALIDATED : DNSSEC_INVALID; +        r = 0;  finish:          gcry_md_close(md); @@ -476,10 +493,10 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske          if (dnssec_keytag(dnskey) != rrsig->rrsig.key_tag)                  return 0; -        return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(rrsig->key)); +        return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), rrsig->rrsig.signer);  } -int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig) { +int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) {          assert(key);          assert(rrsig); @@ -499,15 +516,17 @@ int dnssec_verify_rrset_search(                  DnsAnswer *a,                  DnsResourceKey *key,                  DnsAnswer *validated_dnskeys, -                usec_t realtime) { +                usec_t realtime, +                DnssecResult *result) { -        bool found_rrsig = false, found_dnskey = false; +        bool found_rrsig = false, found_invalid = false, found_expired_rrsig = false, found_unsupported_algorithm = false;          DnsResourceRecord *rrsig;          int r;          assert(key); +        assert(result); -        /* Verifies all RRs from "a" that match the key "key", against DNSKEY RRs in "validated_dnskeys" */ +        /* Verifies all RRs from "a" that match the key "key" against DNSKEYs in "validated_dnskeys" */          if (!a || a->n_rrs <= 0)                  return -ENODATA; @@ -515,7 +534,9 @@ int dnssec_verify_rrset_search(          /* Iterate through each RRSIG RR. */          DNS_ANSWER_FOREACH(rrsig, a) {                  DnsResourceRecord *dnskey; +                DnsAnswerFlags flags; +                /* Is this an RRSIG RR that applies to RRs matching our key? */                  r = dnssec_key_match_rrsig(key, rrsig);                  if (r < 0)                          return r; @@ -524,16 +545,20 @@ int dnssec_verify_rrset_search(                  found_rrsig = true; -                DNS_ANSWER_FOREACH(dnskey, validated_dnskeys) { +                /* Look for a matching key */ +                DNS_ANSWER_FOREACH_FLAGS(dnskey, flags, validated_dnskeys) { +                        DnssecResult one_result; +                        if ((flags & DNS_ANSWER_AUTHENTICATED) == 0) +                                continue; + +                        /* Is this a DNSKEY RR that matches they key of our RRSIG? */                          r = dnssec_rrsig_match_dnskey(rrsig, dnskey);                          if (r < 0)                                  return r;                          if (r == 0)                                  continue; -                        found_dnskey = true; -                          /* Take the time here, if it isn't set yet, so                           * that we do all validations with the same                           * time. */ @@ -545,27 +570,78 @@ int dnssec_verify_rrset_search(                           * the RRSet against the RRSIG and DNSKEY                           * combination. */ -                        r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime); -                        if (r < 0 && r != EOPNOTSUPP) +                        r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime, &one_result); +                        if (r < 0)                                  return r; -                        if (r == DNSSEC_VERIFIED) -                                return DNSSEC_VERIFIED; - -                        /* If the signature is invalid, or done using -                           an unsupported algorithm, let's try another -                           key and/or signature. After all they -                           key_tags and stuff are not unique, and -                           might be shared by multiple keys. */ + +                        switch (one_result) { + +                        case DNSSEC_VALIDATED: +                                /* Yay, the RR has been validated, +                                 * return immediately. */ +                                *result = DNSSEC_VALIDATED; +                                return 0; + +                        case DNSSEC_INVALID: +                                /* If the signature is invalid, let's try another +                                   key and/or signature. After all they +                                   key_tags and stuff are not unique, and +                                   might be shared by multiple keys. */ +                                found_invalid = true; +                                continue; + +                        case DNSSEC_UNSUPPORTED_ALGORITHM: +                                /* If the key algorithm is +                                   unsupported, try another +                                   RRSIG/DNSKEY pair, but remember we +                                   encountered this, so that we can +                                   return a proper error when we +                                   encounter nothing better. */ +                                found_unsupported_algorithm = true; +                                continue; + +                        case DNSSEC_SIGNATURE_EXPIRED: +                                /* If the signature is expired, try +                                   another one, but remember it, so +                                   that we can return this */ +                                found_expired_rrsig = true; +                                continue; + +                        default: +                                assert_not_reached("Unexpected DNSSEC validation result"); +                        }                  }          } -        if (found_dnskey) -                return DNSSEC_INVALID; +        if (found_expired_rrsig) +                *result = DNSSEC_SIGNATURE_EXPIRED; +        else if (found_unsupported_algorithm) +                *result = DNSSEC_UNSUPPORTED_ALGORITHM; +        else if (found_invalid) +                *result = DNSSEC_INVALID; +        else if (found_rrsig) +                *result = DNSSEC_MISSING_KEY; +        else +                *result = DNSSEC_NO_SIGNATURE; + +        return 0; +} + +int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) { +        DnsResourceRecord *rr; +        int r; -        if (found_rrsig) -                return DNSSEC_MISSING_KEY; +        /* Checks whether there's at least one RRSIG in 'a' that proctects RRs of the specified key */ -        return DNSSEC_NO_SIGNATURE; +        DNS_ANSWER_FOREACH(rr, a) { +                r = dnssec_key_match_rrsig(key, rr); +                if (r < 0) +                        return r; +                if (r > 0) +                        return 1; +        } + +        return 0;  }  int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) { @@ -633,9 +709,28 @@ int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) {          return (int) c;  } +static int digest_to_gcrypt(uint8_t algorithm) { + +        /* Translates a DNSSEC digest algorithm into a gcrypt digest iedntifier */ + +        switch (algorithm) { + +        case DNSSEC_DIGEST_SHA1: +                return GCRY_MD_SHA1; + +        case DNSSEC_DIGEST_SHA256: +                return GCRY_MD_SHA256; + +        default: +                return -EOPNOTSUPP; +        } +} +  int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) { -        gcry_md_hd_t md = NULL;          char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX]; +        gcry_md_hd_t md = NULL; +        size_t hash_size; +        int algorithm;          void *result;          int r; @@ -653,45 +748,31 @@ int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) {          if (dnskey->dnskey.protocol != 3)                  return -EKEYREJECTED; -        if (!dnssec_algorithm_supported(dnskey->dnskey.algorithm)) -                return -EOPNOTSUPP; -        if (!dnssec_digest_supported(ds->ds.digest_type)) -                return -EOPNOTSUPP; -          if (dnskey->dnskey.algorithm != ds->ds.algorithm)                  return 0;          if (dnssec_keytag(dnskey) != ds->ds.key_tag)                  return 0; -        switch (ds->ds.digest_type) { - -        case DNSSEC_DIGEST_SHA1: - -                if (ds->ds.digest_size != 20) -                        return 0; - -                gcry_md_open(&md, GCRY_MD_SHA1, 0); -                break; +        initialize_libgcrypt(); -        case DNSSEC_DIGEST_SHA256: +        algorithm = digest_to_gcrypt(ds->ds.digest_type); +        if (algorithm < 0) +                return algorithm; -                if (ds->ds.digest_size != 32) -                        return 0; +        hash_size = gcry_md_get_algo_dlen(algorithm); +        assert(hash_size > 0); -                gcry_md_open(&md, GCRY_MD_SHA256, 0); -                break; +        if (ds->ds.digest_size != hash_size) +                return 0; -        default: -                assert_not_reached("Unknown digest"); -        } +        r = dnssec_canonicalize(DNS_RESOURCE_KEY_NAME(dnskey->key), owner_name, sizeof(owner_name)); +        if (r < 0) +                return r; +        gcry_md_open(&md, algorithm, 0);          if (!md)                  return -EIO; -        r = dnssec_canonicalize(DNS_RESOURCE_KEY_NAME(dnskey->key), owner_name, sizeof(owner_name)); -        if (r < 0) -                goto finish; -          gcry_md_write(md, owner_name, r);          md_add_uint16(md, dnskey->dnskey.flags);          md_add_uint8(md, dnskey->dnskey.protocol); @@ -711,9 +792,334 @@ finish:          return r;  } +int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) { +        DnsResourceRecord *ds; +        DnsAnswerFlags flags; +        int r; + +        assert(dnskey); + +        if (dnskey->key->type != DNS_TYPE_DNSKEY) +                return 0; + +        DNS_ANSWER_FOREACH_FLAGS(ds, flags, validated_ds) { + +                if ((flags & DNS_ANSWER_AUTHENTICATED) == 0) +                        continue; + +                if (ds->key->type != DNS_TYPE_DS) +                        continue; + +                r = dnssec_verify_dnskey(dnskey, ds); +                if (r < 0) +                        return r; +                if (r > 0) +                        return 1; +        } + +        return 0; +} + +int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) { +        uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX]; +        gcry_md_hd_t md = NULL; +        size_t hash_size; +        int algorithm; +        void *result; +        unsigned k; +        int r; + +        assert(nsec3); +        assert(name); +        assert(ret); + +        if (nsec3->key->type != DNS_TYPE_NSEC3) +                return -EINVAL; + +        algorithm = digest_to_gcrypt(nsec3->nsec3.algorithm); +        if (algorithm < 0) +                return algorithm; + +        initialize_libgcrypt(); + +        hash_size = gcry_md_get_algo_dlen(algorithm); +        assert(hash_size > 0); + +        if (nsec3->nsec3.next_hashed_name_size != hash_size) +                return -EINVAL; + +        r = dns_name_to_wire_format(name, wire_format, sizeof(wire_format), true); +        if (r < 0) +                return r; + +        gcry_md_open(&md, algorithm, 0); +        if (!md) +                return -EIO; + +        gcry_md_write(md, wire_format, r); +        gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size); + +        result = gcry_md_read(md, 0); +        if (!result) { +                r = -EIO; +                goto finish; +        } + +        for (k = 0; k < nsec3->nsec3.iterations; k++) { +                uint8_t tmp[hash_size]; +                memcpy(tmp, result, hash_size); + +                gcry_md_reset(md); +                gcry_md_write(md, tmp, hash_size); +                gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size); + +                result = gcry_md_read(md, 0); +                if (!result) { +                        r = -EIO; +                        goto finish; +                } +        } + +        memcpy(ret, result, hash_size); +        r = (int) hash_size; + +finish: +        gcry_md_close(md); +        return r; +} + +static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result) { +        _cleanup_free_ char *next_closer_domain = NULL, *l = NULL; +        uint8_t hashed[DNSSEC_HASH_SIZE_MAX]; +        const char *p, *pp = NULL; +        DnsResourceRecord *rr; +        DnsAnswerFlags flags; +        int hashed_size, r; + +        assert(key); +        assert(result); + +        /* First step, look for the closest encloser NSEC3 RR in 'answer' that matches 'key' */ +        p = DNS_RESOURCE_KEY_NAME(key); +        for (;;) { +                DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { +                        _cleanup_free_ char *hashed_domain = NULL, *label = NULL; + +                        if ((flags & DNS_ANSWER_AUTHENTICATED) == 0) +                                continue; + +                        if (rr->key->type != DNS_TYPE_NSEC3) +                                continue; + +                        /* RFC  5155, Section 8.2 says we MUST ignore NSEC3 RRs with flags != 0 or 1 */ +                        if (!IN_SET(rr->nsec3.flags, 0, 1)) +                                continue; + +                        r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(rr->key), p); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        hashed_size = dnssec_nsec3_hash(rr, p, hashed); +                        if (hashed_size == -EOPNOTSUPP) { +                                *result = DNSSEC_NSEC_UNSUPPORTED_ALGORITHM; +                                return 0; +                        } +                        if (hashed_size < 0) +                                return hashed_size; +                        if (rr->nsec3.next_hashed_name_size != (size_t) hashed_size) +                                return -EBADMSG; + +                        label = base32hexmem(hashed, hashed_size, false); +                        if (!label) +                                return -ENOMEM; + +                        hashed_domain = strjoin(label, ".", p, NULL); +                        if (!hashed_domain) +                                return -ENOMEM; + +                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), hashed_domain); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                goto found; +                } + +                /* We didn't find the closest encloser with this name, +                 * but let's remember this domain name, it might be +                 * the next closer name */ + +                pp = p; + +                /* Strip one label from the front */ +                r = dns_name_parent(&p); +                if (r < 0) +                        return r; +                if (r == 0) +                        break; +        } + +        *result = DNSSEC_NSEC_NO_RR; +        return 0; + +found: +        /* We found a closest encloser in 'p'; next closer is 'pp' */ + +        /* Ensure this is not a DNAME domain, see RFC5155, section 8.3. */ +        if (bitmap_isset(rr->nsec3.types, DNS_TYPE_DNAME)) +                return -EBADMSG; + +        /* Ensure that this data is from the delegated domain +         * (i.e. originates from the "lower" DNS server), and isn't +         * just glue records (i.e. doesn't originate from the "upper" +         * DNS server). */ +        if (bitmap_isset(rr->nsec3.types, DNS_TYPE_NS) && +            !bitmap_isset(rr->nsec3.types, DNS_TYPE_SOA)) +                return -EBADMSG; + +        if (!pp) { +                /* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */ +                *result = bitmap_isset(rr->nsec3.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA; +                return 0; +        } + +        r = dnssec_nsec3_hash(rr, pp, hashed); +        if (r < 0) +                return r; +        if (r != hashed_size) +                return -EBADMSG; + +        l = base32hexmem(hashed, hashed_size, false); +        if (!l) +                return -ENOMEM; + +        next_closer_domain = strjoin(l, ".", p, NULL); +        if (!next_closer_domain) +                return -ENOMEM; + +        DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { +                _cleanup_free_ char *label = NULL, *next_hashed_domain = NULL; +                const char *nsec3_parent; + +                if ((flags & DNS_ANSWER_AUTHENTICATED) == 0) +                        continue; + +                if (rr->key->type != DNS_TYPE_NSEC3) +                        continue; + +                /* RFC  5155, Section 8.2 says we MUST ignore NSEC3 RRs with flags != 0 or 1 */ +                if (!IN_SET(rr->nsec3.flags, 0, 1)) +                        continue; + +                nsec3_parent = DNS_RESOURCE_KEY_NAME(rr->key); +                r = dns_name_parent(&nsec3_parent); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                r = dns_name_equal(p, nsec3_parent); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                label = base32hexmem(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, false); +                if (!label) +                        return -ENOMEM; + +                next_hashed_domain = strjoin(label, ".", p, NULL); +                if (!next_hashed_domain) +                        return -ENOMEM; + +                r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), next_closer_domain, next_hashed_domain); +                if (r < 0) +                        return r; +                if (r > 0) { +                        if (rr->nsec3.flags & 1) +                                *result = DNSSEC_NSEC_OPTOUT; +                        else +                                *result = DNSSEC_NSEC_NXDOMAIN; + +                        return 1; +                } +        } + +        *result = DNSSEC_NSEC_NO_RR; +        return 0; +} + +int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result) { +        DnsResourceRecord *rr; +        bool have_nsec3 = false; +        DnsAnswerFlags flags; +        int r; + +        assert(key); +        assert(result); + +        /* Look for any NSEC/NSEC3 RRs that say something about the specified key. */ + +        DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { + +                if (rr->key->class != key->class) +                        continue; + +                if ((flags & DNS_ANSWER_AUTHENTICATED) == 0) +                        continue; + +                switch (rr->key->type) { + +                case DNS_TYPE_NSEC: + +                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), DNS_RESOURCE_KEY_NAME(key)); +                        if (r < 0) +                                return r; +                        if (r > 0) { +                                *result = bitmap_isset(rr->nsec.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA; +                                return 0; +                        } + +                        r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), DNS_RESOURCE_KEY_NAME(key), rr->nsec.next_domain_name); +                        if (r < 0) +                                return r; +                        if (r > 0) { +                                *result = DNSSEC_NSEC_NXDOMAIN; +                                return 0; +                        } +                        break; + +                case DNS_TYPE_NSEC3: +                        have_nsec3 = true; +                        break; +                } +        } + +        /* OK, this was not sufficient. Let's see if NSEC3 can help. */ +        if (have_nsec3) +                return dnssec_test_nsec3(answer, key, result); + +        /* No approproate NSEC RR found, report this. */ +        *result = DNSSEC_NSEC_NO_RR; +        return 0; +} +  static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = {          [DNSSEC_NO] = "no", -        [DNSSEC_TRUST] = "trust",          [DNSSEC_YES] = "yes",  };  DEFINE_STRING_TABLE_LOOKUP(dnssec_mode, DnssecMode); + +static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = { +        [DNSSEC_VALIDATED] = "validated", +        [DNSSEC_INVALID] = "invalid", +        [DNSSEC_SIGNATURE_EXPIRED] = "signature-expired", +        [DNSSEC_UNSUPPORTED_ALGORITHM] = "unsupported-algorithm", +        [DNSSEC_NO_SIGNATURE] = "no-signature", +        [DNSSEC_MISSING_KEY] = "missing-key", +        [DNSSEC_UNSIGNED] = "unsigned", +        [DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary", +        [DNSSEC_NSEC_MISMATCH] = "nsec-mismatch", +}; +DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult); diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h index f4cb58988a..d17d5142f5 100644 --- a/src/resolve/resolved-dns-dnssec.h +++ b/src/resolve/resolved-dns-dnssec.h @@ -22,6 +22,7 @@  ***/  typedef enum DnssecMode DnssecMode; +typedef enum DnssecResult DnssecResult;  #include "dns-domain.h"  #include "resolved-dns-answer.h" @@ -31,9 +32,6 @@ enum DnssecMode {          /* No DNSSEC validation is done */          DNSSEC_NO, -        /* Trust the AD bit sent by the server. UNSAFE! */ -        DNSSEC_TRUST, -          /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */          DNSSEC_YES, @@ -41,27 +39,60 @@ enum DnssecMode {          _DNSSEC_MODE_INVALID = -1  }; -enum { -        DNSSEC_VERIFIED, +enum DnssecResult { +        /* These four are returned by dnssec_verify_rrset() */ +        DNSSEC_VALIDATED,          DNSSEC_INVALID, +        DNSSEC_SIGNATURE_EXPIRED, +        DNSSEC_UNSUPPORTED_ALGORITHM, + +        /* These two are added by dnssec_verify_rrset_search() */          DNSSEC_NO_SIGNATURE,          DNSSEC_MISSING_KEY, -        DNSSEC_SIGNATURE_EXPIRED, + +        /* These two are added by the DnsTransaction logic */ +        DNSSEC_UNSIGNED, +        DNSSEC_FAILED_AUXILIARY, +        DNSSEC_NSEC_MISMATCH, +        _DNSSEC_RESULT_MAX, +        _DNSSEC_RESULT_INVALID = -1  };  #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) +/* The longest digest we'll ever generate, of all digest algorithms we support */ +#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) +  int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey); -int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig); +int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); -int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime); -int dnssec_verify_rrset_search(DnsAnswer *a, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime); +int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); +int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);  int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds); +int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); + +int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);  uint16_t dnssec_keytag(DnsResourceRecord *dnskey);  int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); +int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); + +typedef enum DnssecNsecResult { +        DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */ +        DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, +        DNSSEC_NSEC_NXDOMAIN, +        DNSSEC_NSEC_NODATA, +        DNSSEC_NSEC_FOUND, +        DNSSEC_NSEC_OPTOUT, +} DnssecNsecResult; + +int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result); +  const char* dnssec_mode_to_string(DnssecMode m) _const_;  DnssecMode dnssec_mode_from_string(const char *s) _pure_; + +const char* dnssec_result_to_string(DnssecResult m) _const_; +DnssecResult dnssec_result_from_string(const char *s) _pure_; diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index ea776f7916..14faf9e4ab 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -65,20 +65,18 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {          return 0;  } -int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu, bool dnssec_checking_disabled) { -        DnsPacket *p; -        DnsPacketHeader *h; -        int r; +void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated) { -        assert(ret); +        DnsPacketHeader *h; -        r = dns_packet_new(&p, protocol, mtu); -        if (r < 0) -                return r; +        assert(p);          h = DNS_PACKET_HEADER(p); -        if (protocol == DNS_PROTOCOL_LLMNR) +        switch(p->protocol) { +        case DNS_PROTOCOL_LLMNR: +                assert(!truncated); +                  h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,                                                           0 /* opcode */,                                                           0 /* c */, @@ -88,7 +86,23 @@ int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu, bool                                                           0 /* ad */,                                                           0 /* cd */,                                                           0 /* rcode */)); -        else +                break; + +        case DNS_PROTOCOL_MDNS: +                h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0         /* qr */, +                                                         0         /* opcode */, +                                                         0         /* aa */, +                                                         truncated /* tc */, +                                                         0         /* rd (ask for recursion) */, +                                                         0         /* ra */, +                                                         0         /* ad */, +                                                         0         /* cd */, +                                                         0         /* rcode */)); +                break; + +        default: +                assert(!truncated); +                  h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,                                                           0 /* opcode */,                                                           0 /* aa */, @@ -98,6 +112,23 @@ int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu, bool                                                           0 /* ad */,                                                           dnssec_checking_disabled /* cd */,                                                           0 /* rcode */)); +        } +} + +int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu, bool dnssec_checking_disabled) { +        DnsPacket *p; +        int r; + +        assert(ret); + +        r = dns_packet_new(&p, protocol, mtu); +        if (r < 0) +                return r; + +        /* Always set the TC bit to 0 initially. +         * If there are multiple packets later, we'll update the bit shortly before sending. +         */ +        dns_packet_set_flags(p, dnssec_checking_disabled, false);          *ret = p;          return 0; @@ -122,6 +153,7 @@ static void dns_packet_free(DnsPacket *p) {          dns_question_unref(p->question);          dns_answer_unref(p->answer); +        dns_resource_record_unref(p->opt);          while ((s = hashmap_steal_first_key(p->names)))                  free(s); @@ -139,6 +171,8 @@ DnsPacket *dns_packet_unref(DnsPacket *p) {          assert(p->n_ref > 0); +        dns_packet_unref(p->more); +          if (p->n_ref == 1)                  dns_packet_free(p);          else @@ -175,6 +209,7 @@ int dns_packet_validate_reply(DnsPacket *p) {                  return -EBADMSG;          switch (p->protocol) { +          case DNS_PROTOCOL_LLMNR:                  /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */                  if (DNS_PACKET_QDCOUNT(p) != 1) @@ -182,6 +217,13 @@ int dns_packet_validate_reply(DnsPacket *p) {                  break; +        case DNS_PROTOCOL_MDNS: +                /* RFC 6762, Section 18 */ +                if (DNS_PACKET_RCODE(p) != 0) +                        return -EBADMSG; + +                break; +          default:                  break;          } @@ -208,6 +250,7 @@ int dns_packet_validate_query(DnsPacket *p) {                  return -EBADMSG;          switch (p->protocol) { +          case DNS_PROTOCOL_LLMNR:                  /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */                  if (DNS_PACKET_QDCOUNT(p) != 1) @@ -223,6 +266,18 @@ int dns_packet_validate_query(DnsPacket *p) {                  break; +        case DNS_PROTOCOL_MDNS: +                /* RFC 6762, Section 18 */ +                if (DNS_PACKET_AA(p)    != 0 || +                    DNS_PACKET_RD(p)    != 0 || +                    DNS_PACKET_RA(p)    != 0 || +                    DNS_PACKET_AD(p)    != 0 || +                    DNS_PACKET_CD(p)    != 0 || +                    DNS_PACKET_RCODE(p) != 0) +                        return -EBADMSG; + +                break; +          default:                  break;          } @@ -383,10 +438,15 @@ int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_          return 0;  } -int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, size_t *start) { +int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, bool canonical_candidate, size_t *start) {          uint8_t *w;          int r; +        /* Append a label to a packet. Optionally, does this in DNSSEC +         * canonical form, if this label is marked as a candidate for +         * it, and the canonical form logic is enabled for the +         * packet */ +          assert(p);          assert(d); @@ -399,7 +459,7 @@ int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, size_t *start          *(w++) = (uint8_t) l; -        if (p->canonical_form) { +        if (p->canonical_form && canonical_candidate) {                  size_t i;                  /* Generate in canonical form, as defined by DNSSEC @@ -424,6 +484,7 @@ int dns_packet_append_name(                  DnsPacket *p,                  const char *name,                  bool allow_compression, +                bool canonical_candidate,                  size_t *start) {          size_t saved_size; @@ -478,7 +539,7 @@ int dns_packet_append_name(                  if (k > 0)                          r = k; -                r = dns_packet_append_label(p, label, r, &n); +                r = dns_packet_append_label(p, label, r, canonical_candidate, &n);                  if (r < 0)                          goto fail; @@ -519,7 +580,7 @@ int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *k, size_t *start)          saved_size = p->size; -        r = dns_packet_append_name(p, DNS_RESOURCE_KEY_NAME(k), true, NULL); +        r = dns_packet_append_name(p, DNS_RESOURCE_KEY_NAME(k), true, true, NULL);          if (r < 0)                  goto fail; @@ -541,7 +602,7 @@ fail:          return r;  } -static int dns_packet_append_type_window(DnsPacket *p, uint8_t window, uint8_t length, uint8_t *types, size_t *start) { +static int dns_packet_append_type_window(DnsPacket *p, uint8_t window, uint8_t length, const uint8_t *types, size_t *start) {          size_t saved_size;          int r; @@ -598,15 +659,16 @@ static int dns_packet_append_types(DnsPacket *p, Bitmap *types, size_t *start) {                  }                  window = n >> 8; -                  entry = n & 255;                  bitmaps[entry / 8] |= 1 << (7 - (entry % 8));          } -        r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL); -        if (r < 0) -                goto fail; +        if (bitmaps[entry / 8] != 0) { +                r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL); +                if (r < 0) +                        goto fail; +        }          if (start)                  *start = saved_size; @@ -707,14 +769,14 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                  if (r < 0)                          goto fail; -                r = dns_packet_append_name(p, rr->srv.name, true, NULL); +                r = dns_packet_append_name(p, rr->srv.name, true, false, NULL);                  break;          case DNS_TYPE_PTR:          case DNS_TYPE_NS:          case DNS_TYPE_CNAME:          case DNS_TYPE_DNAME: -                r = dns_packet_append_name(p, rr->ptr.name, true, NULL); +                r = dns_packet_append_name(p, rr->ptr.name, true, false, NULL);                  break;          case DNS_TYPE_HINFO: @@ -757,11 +819,11 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                  break;          case DNS_TYPE_SOA: -                r = dns_packet_append_name(p, rr->soa.mname, true, NULL); +                r = dns_packet_append_name(p, rr->soa.mname, true, false, NULL);                  if (r < 0)                          goto fail; -                r = dns_packet_append_name(p, rr->soa.rname, true, NULL); +                r = dns_packet_append_name(p, rr->soa.rname, true, false, NULL);                  if (r < 0)                          goto fail; @@ -789,7 +851,7 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                  if (r < 0)                          goto fail; -                r = dns_packet_append_name(p, rr->mx.exchange, true, NULL); +                r = dns_packet_append_name(p, rr->mx.exchange, true, false, NULL);                  break;          case DNS_TYPE_LOC: @@ -893,7 +955,7 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                  if (r < 0)                          goto fail; -                r = dns_packet_append_name(p, rr->rrsig.signer, false, NULL); +                r = dns_packet_append_name(p, rr->rrsig.signer, false, true, NULL);                  if (r < 0)                          goto fail; @@ -901,7 +963,7 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                  break;          case DNS_TYPE_NSEC: -                r = dns_packet_append_name(p, rr->nsec.next_domain_name, false, NULL); +                r = dns_packet_append_name(p, rr->nsec.next_domain_name, false, false, NULL);                  if (r < 0)                          goto fail; @@ -910,6 +972,7 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                          goto fail;                  break; +          case DNS_TYPE_NSEC3:                  r = dns_packet_append_uint8(p, rr->nsec3.algorithm, NULL);                  if (r < 0) @@ -944,6 +1007,8 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star                          goto fail;                  break; + +        case DNS_TYPE_OPT:          case _DNS_TYPE_INVALID: /* unparseable */          default: @@ -1390,8 +1455,9 @@ fail:          return r;  } -int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, size_t *start) { +int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, bool *ret_cache_flush, size_t *start) {          _cleanup_free_ char *name = NULL; +        bool cache_flush = false;          uint16_t class, type;          DnsResourceKey *key;          size_t saved_rindex; @@ -1414,6 +1480,15 @@ int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, size_t *start) {          if (r < 0)                  goto fail; +        if (p->protocol == DNS_PROTOCOL_MDNS) { +                /* See RFC6762, Section 10.2 */ + +                if (type != DNS_TYPE_OPT && (class & MDNS_RR_CACHE_FLUSH)) { +                        class &= ~MDNS_RR_CACHE_FLUSH; +                        cache_flush = true; +                } +        } +          key = dns_resource_key_new_consume(class, type, name);          if (!key) {                  r = -ENOMEM; @@ -1423,6 +1498,8 @@ int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, size_t *start) {          name = NULL;          *ret = key; +        if (ret_cache_flush) +                *ret_cache_flush = cache_flush;          if (start)                  *start = saved_rindex; @@ -1438,11 +1515,12 @@ static bool loc_size_ok(uint8_t size) {          return m <= 9 && e <= 9 && (m > 0 || e == 0);  } -int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) { +int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_flush, size_t *start) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;          _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;          size_t saved_rindex, offset;          uint16_t rdlength; +        bool cache_flush;          int r;          assert(p); @@ -1450,12 +1528,12 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {          saved_rindex = p->rindex; -        r = dns_packet_read_key(p, &key, NULL); +        r = dns_packet_read_key(p, &key, &cache_flush, NULL);          if (r < 0)                  goto fail; -        if (key->class == DNS_CLASS_ANY || -            key->type == DNS_TYPE_ANY) { +        if (!dns_class_is_valid_rr(key->class)|| +            !dns_type_is_valid_rr(key->type)) {                  r = -EBADMSG;                  goto fail;          } @@ -1503,10 +1581,6 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {                  r = dns_packet_read_name(p, &rr->ptr.name, true, NULL);                  break; -        case DNS_TYPE_OPT: /* we only care about the header */ -                r = 0; -                break; -          case DNS_TYPE_HINFO:                  r = dns_packet_read_string(p, &rr->hinfo.cpu, NULL);                  if (r < 0) @@ -1684,6 +1758,7 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {                  }                  break; +          case DNS_TYPE_SSHFP:                  r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL);                  if (r < 0) @@ -1778,8 +1853,16 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {                  break; -        case DNS_TYPE_NSEC: -                r = dns_packet_read_name(p, &rr->nsec.next_domain_name, false, NULL); +        case DNS_TYPE_NSEC: { + +                /* +                 * RFC6762, section 18.14 explictly states mDNS should use name compression. +                 * This contradicts RFC3845, section 2.1.1 +                 */ + +                bool allow_compressed = p->protocol == DNS_PROTOCOL_MDNS; + +                r = dns_packet_read_name(p, &rr->nsec.next_domain_name, allow_compressed, NULL);                  if (r < 0)                          goto fail; @@ -1792,7 +1875,7 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {                   * without the NSEC bit set. */                  break; - +        }          case DNS_TYPE_NSEC3: {                  uint8_t size; @@ -1838,6 +1921,8 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {                  break;          } + +        case DNS_TYPE_OPT: /* we only care about the header of OPT for now. */          default:          unparseable:                  r = dns_packet_read_memdup(p, rdlength, &rr->generic.data, &rr->generic.size, NULL); @@ -1855,6 +1940,8 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {          *ret = rr;          rr = NULL; +        if (ret_cache_flush) +                *ret_cache_flush = cache_flush;          if (start)                  *start = saved_rindex; @@ -1887,11 +1974,22 @@ int dns_packet_extract(DnsPacket *p) {                  for (i = 0; i < n; i++) {                          _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; +                        bool cache_flush; -                        r = dns_packet_read_key(p, &key, NULL); +                        r = dns_packet_read_key(p, &key, &cache_flush, NULL);                          if (r < 0)                                  goto finish; +                        if (cache_flush) { +                                r = -EBADMSG; +                                goto finish; +                        } + +                        if (!dns_type_is_valid_query(key->type)) { +                                r = -EBADMSG; +                                goto finish; +                        } +                          r = dns_question_add(question, key);                          if (r < 0)                                  goto finish; @@ -1908,14 +2006,48 @@ int dns_packet_extract(DnsPacket *p) {                  for (i = 0; i < n; i++) {                          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; +                        bool cache_flush; -                        r = dns_packet_read_rr(p, &rr, NULL); +                        r = dns_packet_read_rr(p, &rr, &cache_flush, NULL);                          if (r < 0)                                  goto finish; -                        r = dns_answer_add(answer, rr, p->ifindex); -                        if (r < 0) -                                goto finish; +                        if (rr->key->type == DNS_TYPE_OPT) { + +                                if (!dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr->key))) { +                                        r = -EBADMSG; +                                        goto finish; +                                } + +                                /* The OPT RR is only valid in the Additional section */ +                                if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) { +                                        r = -EBADMSG; +                                        goto finish; +                                } + +                                /* Two OPT RRs? */ +                                if (p->opt) { +                                        r = -EBADMSG; +                                        goto finish; +                                } + +                                p->opt = dns_resource_record_ref(rr); +                        } else { + +                                /* According to RFC 4795, section +                                 * 2.9. only the RRs from the Answer +                                 * section shall be cached. Hence mark +                                 * only those RRs as cacheable by +                                 * default, but not the ones from the +                                 * Additional or Authority +                                 * sections. */ + +                                r = dns_answer_add(answer, rr, p->ifindex, +                                                   (i < DNS_PACKET_ANCOUNT(p) ? DNS_ANSWER_CACHEABLE : 0) | +                                                   (p->protocol == DNS_PROTOCOL_MDNS && !cache_flush ? DNS_ANSWER_SHARED_OWNER : 0)); +                                if (r < 0) +                                        goto finish; +                        }                  }          } @@ -1934,6 +2066,30 @@ finish:          return r;  } +int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) { +        int r; + +        assert(p); +        assert(key); + +        /* Checks if the specified packet is a reply for the specified +         * key and the specified key is the only one in the question +         * section. */ + +        if (DNS_PACKET_QR(p) != 1) +                return 0; + +        /* Let's unpack the packet, if that hasn't happened yet. */ +        r = dns_packet_extract(p); +        if (r < 0) +                return r; + +        if (p->question->n_keys != 1) +                return 0; + +        return dns_resource_key_equal(p->question->keys[0], key); +} +  static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = {          [DNS_RCODE_SUCCESS] = "SUCCESS",          [DNS_RCODE_FORMERR] = "FORMERR", diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h index aa2823cfb9..36da86dee5 100644 --- a/src/resolve/resolved-dns-packet.h +++ b/src/resolve/resolved-dns-packet.h @@ -80,6 +80,7 @@ struct DnsPacket {          /* Parsed data */          DnsQuestion *question;          DnsAnswer *answer; +        DnsResourceRecord *opt;          /* Packet reception metadata */          int ifindex; @@ -88,6 +89,9 @@ struct DnsPacket {          uint16_t sender_port, destination_port;          uint32_t ttl; +        /* For support of truncated packets */ +        DnsPacket *more; +          bool on_stack:1;          bool extracted:1;          bool refuse_compression:1; @@ -146,6 +150,8 @@ static inline unsigned DNS_PACKET_RRCOUNT(DnsPacket *p) {  int dns_packet_new(DnsPacket **p, DnsProtocol protocol, size_t mtu);  int dns_packet_new_query(DnsPacket **p, DnsProtocol protocol, size_t mtu, bool dnssec_checking_disabled); +void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated); +  DnsPacket *dns_packet_ref(DnsPacket *p);  DnsPacket *dns_packet_unref(DnsPacket *p); @@ -155,14 +161,16 @@ int dns_packet_validate(DnsPacket *p);  int dns_packet_validate_reply(DnsPacket *p);  int dns_packet_validate_query(DnsPacket *p); +int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key); +  int dns_packet_append_blob(DnsPacket *p, const void *d, size_t sz, size_t *start);  int dns_packet_append_uint8(DnsPacket *p, uint8_t v, size_t *start);  int dns_packet_append_uint16(DnsPacket *p, uint16_t v, size_t *start);  int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start);  int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start);  int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start); -int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, size_t *start); -int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, size_t *start); +int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, bool canonical_candidate, size_t *start); +int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, bool canonical_candidate, size_t *start);  int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *key, size_t *start);  int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start);  int dns_packet_append_opt_rr(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, size_t *start); @@ -177,8 +185,8 @@ int dns_packet_read_uint32(DnsPacket *p, uint32_t *ret, size_t *start);  int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start);  int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start);  int dns_packet_read_name(DnsPacket *p, char **ret, bool allow_compression, size_t *start); -int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, size_t *start); -int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start); +int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, bool *ret_cache_flush, size_t *start); +int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_flush, size_t *start);  void dns_packet_rewind(DnsPacket *p, size_t idx); @@ -225,6 +233,9 @@ DnsProtocol dns_protocol_from_string(const char *s) _pure_;  #define LLMNR_MULTICAST_IPV4_ADDRESS ((struct in_addr) { .s_addr = htobe32(224U << 24 | 252U) })  #define LLMNR_MULTICAST_IPV6_ADDRESS ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03 } }) +#define MDNS_MULTICAST_IPV4_ADDRESS  ((struct in_addr) { .s_addr = htobe32(224U << 24 | 251U) }) +#define MDNS_MULTICAST_IPV6_ADDRESS  ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xfb } }) +  static inline uint64_t SD_RESOLVED_FLAGS_MAKE(DnsProtocol protocol, int family, bool authenticated) {          uint64_t f; @@ -239,6 +250,9 @@ static inline uint64_t SD_RESOLVED_FLAGS_MAKE(DnsProtocol protocol, int family,          case DNS_PROTOCOL_LLMNR:                  return f|(family == AF_INET6 ? SD_RESOLVED_LLMNR_IPV6 : SD_RESOLVED_LLMNR_IPV4); +        case DNS_PROTOCOL_MDNS: +                return family == AF_INET6 ? SD_RESOLVED_MDNS_IPV6 : SD_RESOLVED_MDNS_IPV4; +          default:                  break;          } diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c index 089d9fb70d..18d2d01bf2 100644 --- a/src/resolve/resolved-dns-query.c +++ b/src/resolve/resolved-dns-query.c @@ -59,7 +59,7 @@ static void dns_query_candidate_stop(DnsQueryCandidate *c) {          assert(c);          while ((t = set_steal_first(c->transactions))) { -                set_remove(t->query_candidates, c); +                set_remove(t->notify_query_candidates, c);                  dns_transaction_gc(t);          }  } @@ -116,32 +116,35 @@ static int dns_query_candidate_add_transaction(DnsQueryCandidate *c, DnsResource          assert(c);          assert(key); -        r = set_ensure_allocated(&c->transactions, NULL); -        if (r < 0) -                return r; -          t = dns_scope_find_transaction(c->scope, key, true);          if (!t) {                  r = dns_transaction_new(&t, c->scope, key);                  if (r < 0)                          return r; +        } else { +                if (set_contains(c->transactions, t)) +                        return 0;          } -        r = set_ensure_allocated(&t->query_candidates, NULL); +        r = set_ensure_allocated(&c->transactions, NULL);          if (r < 0)                  goto gc; -        r = set_put(t->query_candidates, c); +        r = set_ensure_allocated(&t->notify_query_candidates, NULL); +        if (r < 0) +                goto gc; + +        r = set_put(t->notify_query_candidates, c);          if (r < 0)                  goto gc;          r = set_put(c->transactions, t);          if (r < 0) { -                set_remove(t->query_candidates, c); +                (void) set_remove(t->notify_query_candidates, c);                  goto gc;          } -        return 0; +        return 1;  gc:          dns_transaction_gc(t); @@ -182,9 +185,21 @@ static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {                  switch (t->state) { -                case DNS_TRANSACTION_PENDING:                  case DNS_TRANSACTION_NULL: -                        return t->state; +                        /* If there's a NULL transaction pending, then +                         * this means not all transactions where +                         * started yet, and we were called from within +                         * the stackframe that is supposed to start +                         * remaining transactions. In this case, +                         * simply claim the candidate is pending. */ + +                case DNS_TRANSACTION_PENDING: +                case DNS_TRANSACTION_VALIDATING: +                        /* If there's one transaction currently in +                         * VALIDATING state, then this means there's +                         * also one in PENDING state, hence we can +                         * return PENDING immediately. */ +                        return DNS_TRANSACTION_PENDING;                  case DNS_TRANSACTION_SUCCESS:                          state = t->state; @@ -233,7 +248,7 @@ fail:          return r;  } -void dns_query_candidate_ready(DnsQueryCandidate *c) { +void dns_query_candidate_notify(DnsQueryCandidate *c) {          DnsTransactionState state;          int r; @@ -241,7 +256,7 @@ void dns_query_candidate_ready(DnsQueryCandidate *c) {          state = dns_query_candidate_state(c); -        if (IN_SET(state, DNS_TRANSACTION_PENDING, DNS_TRANSACTION_NULL)) +        if (DNS_TRANSACTION_IS_LIVE(state))                  return;          if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) { @@ -394,8 +409,8 @@ int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {  static void dns_query_complete(DnsQuery *q, DnsTransactionState state) {          assert(q); -        assert(!IN_SET(state, DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING)); -        assert(IN_SET(q->state, DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING)); +        assert(!DNS_TRANSACTION_IS_LIVE(state)); +        assert(DNS_TRANSACTION_IS_LIVE(q->state));          /* Note that this call might invalidate the query. Callers           * should hence not attempt to access the query or transaction @@ -539,7 +554,7 @@ static int synthesize_localhost_rr(DnsQuery *q, DnsResourceKey *key, DnsAnswer *                  rr->a.in_addr.s_addr = htobe32(INADDR_LOOPBACK); -                r = dns_answer_add(*answer, rr, SYNTHESIZE_IFINDEX(q->ifindex)); +                r = dns_answer_add(*answer, rr, SYNTHESIZE_IFINDEX(q->ifindex), DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r;          } @@ -553,7 +568,7 @@ static int synthesize_localhost_rr(DnsQuery *q, DnsResourceKey *key, DnsAnswer *                  rr->aaaa.in6_addr = in6addr_loopback; -                r = dns_answer_add(*answer, rr, SYNTHESIZE_IFINDEX(q->ifindex)); +                r = dns_answer_add(*answer, rr, SYNTHESIZE_IFINDEX(q->ifindex), DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r;          } @@ -561,7 +576,7 @@ static int synthesize_localhost_rr(DnsQuery *q, DnsResourceKey *key, DnsAnswer *          return 0;  } -static int answer_add_ptr(DnsAnswer **answer, const char *from, const char *to, int ifindex) { +static int answer_add_ptr(DnsAnswer **answer, const char *from, const char *to, int ifindex, DnsAnswerFlags flags) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;          rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_PTR, from); @@ -572,7 +587,7 @@ static int answer_add_ptr(DnsAnswer **answer, const char *from, const char *to,          if (!rr->ptr.name)                  return -ENOMEM; -        return dns_answer_add(*answer, rr, ifindex); +        return dns_answer_add(*answer, rr, ifindex, flags);  }  static int synthesize_localhost_ptr(DnsQuery *q, DnsResourceKey *key, DnsAnswer **answer) { @@ -582,12 +597,12 @@ static int synthesize_localhost_ptr(DnsQuery *q, DnsResourceKey *key, DnsAnswer          assert(key);          assert(answer); -        r = dns_answer_reserve(answer, 1); -        if (r < 0) -                return r; -          if (IN_SET(key->type, DNS_TYPE_PTR, DNS_TYPE_ANY)) { -                r = answer_add_ptr(answer, DNS_RESOURCE_KEY_NAME(key), "localhost", SYNTHESIZE_IFINDEX(q->ifindex)); +                r = dns_answer_reserve(answer, 1); +                if (r < 0) +                        return r; + +                r = answer_add_ptr(answer, DNS_RESOURCE_KEY_NAME(key), "localhost", SYNTHESIZE_IFINDEX(q->ifindex), DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r;          } @@ -618,7 +633,7 @@ static int answer_add_addresses_rr(                  if (r < 0)                          return r; -                r = dns_answer_add(*answer, rr, addresses[j].ifindex); +                r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r;          } @@ -659,7 +674,7 @@ static int answer_add_addresses_ptr(                  if (r < 0)                          return r; -                r = dns_answer_add(*answer, rr, addresses[j].ifindex); +                r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r;          } @@ -725,15 +740,15 @@ static int synthesize_system_hostname_ptr(DnsQuery *q, int af, const union in_ad                  if (r < 0)                          return r; -                r = answer_add_ptr(answer, "2.0.0.127.in-addr.arpa", q->manager->llmnr_hostname, SYNTHESIZE_IFINDEX(q->ifindex)); +                r = answer_add_ptr(answer, "2.0.0.127.in-addr.arpa", q->manager->llmnr_hostname, SYNTHESIZE_IFINDEX(q->ifindex), DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r; -                r = answer_add_ptr(answer, "2.0.0.127.in-addr.arpa", q->manager->mdns_hostname, SYNTHESIZE_IFINDEX(q->ifindex)); +                r = answer_add_ptr(answer, "2.0.0.127.in-addr.arpa", q->manager->mdns_hostname, SYNTHESIZE_IFINDEX(q->ifindex), DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r; -                r = answer_add_ptr(answer, "2.0.0.127.in-addr.arpa", "localhost", SYNTHESIZE_IFINDEX(q->ifindex)); +                r = answer_add_ptr(answer, "2.0.0.127.in-addr.arpa", "localhost", SYNTHESIZE_IFINDEX(q->ifindex), DNS_ANSWER_AUTHENTICATED);                  if (r < 0)                          return r; @@ -795,7 +810,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {          /* Tries to synthesize localhost RR replies where appropriate */          if (!IN_SET(*state, -                    DNS_TRANSACTION_FAILURE, +                    DNS_TRANSACTION_RCODE_FAILURE,                      DNS_TRANSACTION_NO_SERVERS,                      DNS_TRANSACTION_TIMEOUT,                      DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)) @@ -970,9 +985,11 @@ fail:  static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {          DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; +        bool has_authenticated = false, has_non_authenticated = false; +        DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;          DnsTransaction *t;          Iterator i; -        bool has_authenticated = false, has_non_authenticated = false; +        int r;          assert(q); @@ -988,29 +1005,29 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {                  case DNS_TRANSACTION_SUCCESS: {                          /* We found a successfuly reply, merge it into the answer */ -                        DnsAnswer *merged; - -                        merged = dns_answer_merge(q->answer, t->answer); -                        if (!merged) { +                        r = dns_answer_extend(&q->answer, t->answer); +                        if (r < 0) {                                  dns_query_complete(q, DNS_TRANSACTION_RESOURCES);                                  return;                          } -                        dns_answer_unref(q->answer); -                        q->answer = merged;                          q->answer_rcode = t->answer_rcode; -                        if (t->answer_authenticated) +                        if (t->answer_authenticated) {                                  has_authenticated = true; -                        else +                                dnssec_result_authenticated = t->answer_dnssec_result; +                        } else {                                  has_non_authenticated = true; +                                dnssec_result_non_authenticated = t->answer_dnssec_result; +                        }                          state = DNS_TRANSACTION_SUCCESS;                          break;                  } -                case DNS_TRANSACTION_PENDING:                  case DNS_TRANSACTION_NULL: +                case DNS_TRANSACTION_PENDING: +                case DNS_TRANSACTION_VALIDATING:                  case DNS_TRANSACTION_ABORTED:                          /* Ignore transactions that didn't complete */                          continue; @@ -1019,22 +1036,26 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {                          /* Any kind of failure? Store the data away,                           * if there's nothing stored yet. */ -                        if (state != DNS_TRANSACTION_SUCCESS) { - -                                dns_answer_unref(q->answer); -                                q->answer = dns_answer_ref(t->answer); -                                q->answer_rcode = t->answer_rcode; +                        if (state == DNS_TRANSACTION_SUCCESS) +                                continue; -                                state = t->state; -                        } +                        dns_answer_unref(q->answer); +                        q->answer = dns_answer_ref(t->answer); +                        q->answer_rcode = t->answer_rcode; +                        q->answer_dnssec_result = t->answer_dnssec_result; +                        state = t->state;                          break;                  }          } +        if (state == DNS_TRANSACTION_SUCCESS) { +                q->answer_authenticated = has_authenticated && !has_non_authenticated; +                q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated; +        } +          q->answer_protocol = c->scope->protocol;          q->answer_family = c->scope->family; -        q->answer_authenticated = has_authenticated && !has_non_authenticated;          dns_search_domain_unref(q->answer_search_domain);          q->answer_search_domain = dns_search_domain_ref(c->search_domain); @@ -1049,7 +1070,7 @@ void dns_query_ready(DnsQuery *q) {          bool pending = false;          assert(q); -        assert(IN_SET(q->state, DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING)); +        assert(DNS_TRANSACTION_IS_LIVE(q->state));          /* Note that this call might invalidate the query. Callers           * should hence not attempt to access the query or transaction @@ -1066,14 +1087,16 @@ void dns_query_ready(DnsQuery *q) {                  switch (state) {                  case DNS_TRANSACTION_SUCCESS: -                        /* One of the transactions is successful, +                        /* One of the candidates is successful,                           * let's use it, and copy its data out */                          dns_query_accept(q, c);                          return; -                case DNS_TRANSACTION_PENDING:                  case DNS_TRANSACTION_NULL: -                        /* One of the transactions is still going on, let's maybe wait for it */ +                case DNS_TRANSACTION_PENDING: +                case DNS_TRANSACTION_VALIDATING: +                        /* One of the candidates is still going on, +                         * let's maybe wait for it */                          pending = true;                          break; @@ -1096,6 +1119,8 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)          assert(q); +        log_debug("Following CNAME %s → %s", dns_question_first_name(q->question), cname->cname.name); +          q->n_cname_redirects ++;          if (q->n_cname_redirects > CNAME_MAX)                  return -ELOOP; diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h index b71bb2352b..44edd5bfff 100644 --- a/src/resolve/resolved-dns-query.h +++ b/src/resolve/resolved-dns-query.h @@ -72,10 +72,11 @@ struct DnsQuery {          /* Discovered data */          DnsAnswer *answer;          int answer_rcode; +        DnssecResult answer_dnssec_result; +        bool answer_authenticated;          DnsProtocol answer_protocol;          int answer_family;          DnsSearchDomain *answer_search_domain; -        bool answer_authenticated;          /* Bus client information */          sd_bus_message *request; @@ -95,7 +96,7 @@ struct DnsQuery {  };  DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c); -void dns_query_candidate_ready(DnsQueryCandidate *c); +void dns_query_candidate_notify(DnsQueryCandidate *c);  int dns_query_new(Manager *m, DnsQuery **q, DnsQuestion *question, int family, uint64_t flags);  DnsQuery *dns_query_free(DnsQuery *q); diff --git a/src/resolve/resolved-dns-question.c b/src/resolve/resolved-dns-question.c index 3249448d3b..4ed7434d3c 100644 --- a/src/resolve/resolved-dns-question.c +++ b/src/resolve/resolved-dns-question.c @@ -117,7 +117,7 @@ int dns_question_matches_cname(DnsQuestion *q, DnsResourceRecord *rr, const char                  return 0;          for (i = 0; i < q->n_keys; i++) { -                r = dns_resource_key_match_cname(q->keys[i], rr, search_domain); +                r = dns_resource_key_match_cname_or_dname(q->keys[i], rr->key, search_domain);                  if (r != 0)                          return r;          } diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c index 934a18334c..98a3a3351d 100644 --- a/src/resolve/resolved-dns-rr.c +++ b/src/resolve/resolved-dns-rr.c @@ -168,6 +168,9 @@ bool dns_resource_key_is_address(const DnsResourceKey *key) {  int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b) {          int r; +        if (a == b) +                return 1; +          r = dns_name_equal(DNS_RESOURCE_KEY_NAME(a), DNS_RESOURCE_KEY_NAME(b));          if (r <= 0)                  return r; @@ -181,12 +184,15 @@ int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b) {          return 1;  } -int dns_resource_key_match_rr(const DnsResourceKey *key, const DnsResourceRecord *rr, const char *search_domain) { +int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr, const char *search_domain) {          int r;          assert(key);          assert(rr); +        if (key == rr->key) +                return 1; +          /* Checks if an rr matches the specified key. If a search           * domain is specified, it will also be checked if the key           * with the search domain suffixed might match the RR. */ @@ -214,19 +220,19 @@ int dns_resource_key_match_rr(const DnsResourceKey *key, const DnsResourceRecord          return 0;  } -int dns_resource_key_match_cname(const DnsResourceKey *key, const DnsResourceRecord *rr, const char *search_domain) { +int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain) {          int r;          assert(key); -        assert(rr); +        assert(cname); -        if (rr->key->class != key->class && key->class != DNS_CLASS_ANY) +        if (cname->class != key->class && key->class != DNS_CLASS_ANY)                  return 0; -        if (rr->key->type == DNS_TYPE_CNAME) -                r = dns_name_equal(DNS_RESOURCE_KEY_NAME(key), DNS_RESOURCE_KEY_NAME(rr->key)); -        else if (rr->key->type == DNS_TYPE_DNAME) -                r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(key), DNS_RESOURCE_KEY_NAME(rr->key)); +        if (cname->type == DNS_TYPE_CNAME) +                r = dns_name_equal(DNS_RESOURCE_KEY_NAME(key), DNS_RESOURCE_KEY_NAME(cname)); +        else if (cname->type == DNS_TYPE_DNAME) +                r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(key), DNS_RESOURCE_KEY_NAME(cname));          else                  return 0; @@ -240,14 +246,31 @@ int dns_resource_key_match_cname(const DnsResourceKey *key, const DnsResourceRec                  if (r < 0)                          return r; -                if (rr->key->type == DNS_TYPE_CNAME) -                        return dns_name_equal(joined, DNS_RESOURCE_KEY_NAME(rr->key)); -                else if (rr->key->type == DNS_TYPE_DNAME) -                        return dns_name_endswith(joined, DNS_RESOURCE_KEY_NAME(rr->key)); +                if (cname->type == DNS_TYPE_CNAME) +                        return dns_name_equal(joined, DNS_RESOURCE_KEY_NAME(cname)); +                else if (cname->type == DNS_TYPE_DNAME) +                        return dns_name_endswith(joined, DNS_RESOURCE_KEY_NAME(cname));          }          return 0; +} + +int dns_resource_key_match_soa(const DnsResourceKey *key, const DnsResourceKey *soa) { +        assert(soa); +        assert(key); +        /* Checks whether 'soa' is a SOA record for the specified key. */ + +        if (soa->class != DNS_CLASS_IN) +                return 0; + +        if (soa->type != DNS_TYPE_SOA) +                return 0; + +        if (!dns_name_endswith(DNS_RESOURCE_KEY_NAME(key), DNS_RESOURCE_KEY_NAME(soa))) +                return 0; + +        return 1;  }  static void dns_resource_key_hash_func(const void *i, struct siphash *state) { @@ -303,7 +326,7 @@ int dns_resource_key_to_string(const DnsResourceKey *key, char **ret) {                  t = tbuf;          } -        if (asprintf(&s, "%s %s %-5s", DNS_RESOURCE_KEY_NAME(key), c, t) < 0) +        if (asprintf(&s, "%s. %s %-5s", DNS_RESOURCE_KEY_NAME(key), c, t) < 0)                  return -ENOMEM;          *ret = s; @@ -503,6 +526,9 @@ int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecor          assert(a);          assert(b); +        if (a == b) +                return 1; +          r = dns_resource_key_equal(a->key, b->key);          if (r <= 0)                  return r; @@ -1048,34 +1074,6 @@ int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical) {          return 0;  } -const char *dns_class_to_string(uint16_t class) { - -        switch (class) { - -        case DNS_CLASS_IN: -                return "IN"; - -        case DNS_CLASS_ANY: -                return "ANY"; -        } - -        return NULL; -} - -int dns_class_from_string(const char *s, uint16_t *class) { -        assert(s); -        assert(class); - -        if (strcaseeq(s, "IN")) -                *class = DNS_CLASS_IN; -        else if (strcaseeq(s, "ANY")) -                *class = DNS_CLASS_ANY; -        else -                return -EINVAL; - -        return 0; -} -  DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i) {          DnsTxtItem *n; @@ -1090,6 +1088,9 @@ DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i) {  bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b) { +        if (a == b) +                return true; +          if (!a != !b)                  return false; diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h index b82fa77562..a35f01ce10 100644 --- a/src/resolve/resolved-dns-rr.h +++ b/src/resolve/resolved-dns-rr.h @@ -33,18 +33,13 @@ typedef struct DnsResourceKey DnsResourceKey;  typedef struct DnsResourceRecord DnsResourceRecord;  typedef struct DnsTxtItem DnsTxtItem; -/* DNS record classes, see RFC 1035 */ -enum { -        DNS_CLASS_IN   = 0x01, -        DNS_CLASS_ANY  = 0xFF, -        _DNS_CLASS_MAX, -        _DNS_CLASS_INVALID = -1 -}; -  /* DNSKEY RR flags */  #define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)  #define DNSKEY_FLAG_SEP      (UINT16_C(1) << 0) +/* mDNS RR flags */ +#define MDNS_RR_CACHE_FLUSH  (UINT16_C(1) << 15) +  /* DNSSEC algorithm identifiers, see   * http://tools.ietf.org/html/rfc4034#appendix-A.1 and   * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */ @@ -110,7 +105,7 @@ struct DnsResourceRecord {                  struct {                          void *data;                          size_t size; -                } generic; +                } generic, opt;                  struct {                          uint16_t priority; @@ -241,11 +236,16 @@ DnsResourceKey* dns_resource_key_ref(DnsResourceKey *key);  DnsResourceKey* dns_resource_key_unref(DnsResourceKey *key);  bool dns_resource_key_is_address(const DnsResourceKey *key);  int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b); -int dns_resource_key_match_rr(const DnsResourceKey *key, const DnsResourceRecord *rr, const char *search_domain); -int dns_resource_key_match_cname(const DnsResourceKey *key, const DnsResourceRecord *rr, const char *search_domain); +int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr, const char *search_domain); +int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain); +int dns_resource_key_match_soa(const DnsResourceKey *key, const DnsResourceKey *soa);  int dns_resource_key_to_string(const DnsResourceKey *key, char **ret);  DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceKey*, dns_resource_key_unref); +static inline bool dns_key_is_shared(const DnsResourceKey *key) { +        return IN_SET(key->type, DNS_TYPE_PTR); +} +  DnsResourceRecord* dns_resource_record_new(DnsResourceKey *key);  DnsResourceRecord* dns_resource_record_new_full(uint16_t class, uint16_t type, const char *name);  DnsResourceRecord* dns_resource_record_ref(DnsResourceRecord *rr); @@ -261,9 +261,6 @@ int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical);  DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i);  bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b); -const char *dns_class_to_string(uint16_t type); -int dns_class_from_string(const char *name, uint16_t *class); -  extern const struct hash_ops dns_resource_key_hash_ops;  const char* dnssec_algorithm_to_string(int i) _const_; diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index a90692cdf4..b284cb8b27 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -30,6 +30,7 @@  #include "random-util.h"  #include "resolved-dns-scope.h"  #include "resolved-llmnr.h" +#include "resolved-mdns.h"  #include "socket-util.h"  #include "strv.h" @@ -59,6 +60,7 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int          LIST_PREPEND(scopes, m->dns_scopes, s);          dns_scope_llmnr_membership(s, true); +        dns_scope_mdns_membership(s, true);          log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family)); @@ -79,7 +81,8 @@ static void dns_scope_abort_transactions(DnsScope *s) {                   * freed while we still look at it */                  t->block_gc++; -                dns_transaction_complete(t, DNS_TRANSACTION_ABORTED); +                if (DNS_TRANSACTION_IS_LIVE(t->state)) +                        dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);                  t->block_gc--;                  dns_transaction_free(t); @@ -95,6 +98,7 @@ DnsScope* dns_scope_free(DnsScope *s) {          log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));          dns_scope_llmnr_membership(s, false); +        dns_scope_mdns_membership(s, false);          dns_scope_abort_transactions(s);          while (s->query_candidates) @@ -158,11 +162,10 @@ void dns_scope_packet_lost(DnsScope *s, usec_t usec) {                  s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);  } -int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) { +static int dns_scope_emit_one(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {          union in_addr_union addr;          int ifindex = 0, r;          int family; -        uint16_t port;          uint32_t mtu;          size_t saved_size = 0; @@ -228,7 +231,6 @@ int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {                          return -EBUSY;                  family = s->family; -                port = LLMNR_PORT;                  if (family == AF_INET) {                          addr.in = LLMNR_MULTICAST_IPV4_ADDRESS; @@ -241,7 +243,30 @@ int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {                  if (fd < 0)                          return fd; -                r = manager_send(s->manager, fd, ifindex, family, &addr, port, p); +                r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p); +                if (r < 0) +                        return r; + +                break; + +        case DNS_PROTOCOL_MDNS: +                if (!ratelimit_test(&s->ratelimit)) +                        return -EBUSY; + +                family = s->family; + +                if (family == AF_INET) { +                        addr.in = MDNS_MULTICAST_IPV4_ADDRESS; +                        fd = manager_mdns_ipv4_fd(s->manager); +                } else if (family == AF_INET6) { +                        addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS; +                        fd = manager_mdns_ipv6_fd(s->manager); +                } else +                        return -EAFNOSUPPORT; +                if (fd < 0) +                        return fd; + +                r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);                  if (r < 0)                          return r; @@ -254,6 +279,31 @@ int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {          return 1;  } +int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) { +        int r; + +        assert(s); +        assert(p); +        assert(p->protocol == s->protocol); +        assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0)); + +        do { +                /* If there are multiple linked packets, set the TC bit in all but the last of them */ +                if (p->more) { +                        assert(p->protocol == DNS_PROTOCOL_MDNS); +                        dns_packet_set_flags(p, true, true); +                } + +                r = dns_scope_emit_one(s, fd, server, p); +                if (r < 0) +                        return r; + +                p = p->more; +        } while(p); + +        return 0; +} +  static int dns_scope_socket(DnsScope *s, int type, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {          DnsServer *srv = NULL;          _cleanup_close_ int fd = -1; @@ -392,6 +442,10 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co              dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)                  return DNS_SCOPE_NO; +        /* Never respond to some of the domains listed in RFC6761 */ +        if (dns_name_endswith(domain, "invalid") > 0) +                return DNS_SCOPE_NO; +          /* Always honour search domains for routing queries. Note that           * we return DNS_SCOPE_YES here, rather than just           * DNS_SCOPE_MAYBE, which means wildcard scopes won't be @@ -409,7 +463,11 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co                      dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&                      dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&                      dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 && -                    dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0) +                    dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 && +                    /* If networks use .local in their private setups, they are supposed to also add .local to their search +                     * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't +                     * send such queries ordinary DNS servers. */ +                    dns_name_endswith(domain, "local") == 0)                          return DNS_SCOPE_MAYBE;                  return DNS_SCOPE_NO; @@ -449,7 +507,7 @@ int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {          if (s->protocol == DNS_PROTOCOL_DNS) { -                /* On classic DNS, lookin up non-address RRs is always +                /* On classic DNS, looking up non-address RRs is always                   * fine. (Specifically, we want to permit looking up                   * DNSKEY and DS records on the root and top-level                   * domains.) */ @@ -477,19 +535,15 @@ int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {          return true;  } -int dns_scope_llmnr_membership(DnsScope *s, bool b) { +static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {          int fd;          assert(s); - -        if (s->protocol != DNS_PROTOCOL_LLMNR) -                return 0; -          assert(s->link);          if (s->family == AF_INET) {                  struct ip_mreqn mreqn = { -                        .imr_multiaddr = LLMNR_MULTICAST_IPV4_ADDRESS, +                        .imr_multiaddr = in,                          .imr_ifindex = s->link->ifindex,                  }; @@ -508,7 +562,7 @@ int dns_scope_llmnr_membership(DnsScope *s, bool b) {          } else if (s->family == AF_INET6) {                  struct ipv6_mreq mreq = { -                        .ipv6mr_multiaddr = LLMNR_MULTICAST_IPV6_ADDRESS, +                        .ipv6mr_multiaddr = in6,                          .ipv6mr_interface = s->link->ifindex,                  }; @@ -527,6 +581,22 @@ int dns_scope_llmnr_membership(DnsScope *s, bool b) {          return 0;  } +int dns_scope_llmnr_membership(DnsScope *s, bool b) { + +        if (s->protocol != DNS_PROTOCOL_LLMNR) +                return 0; + +        return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS); +} + +int dns_scope_mdns_membership(DnsScope *s, bool b) { + +        if (s->protocol != DNS_PROTOCOL_MDNS) +                return 0; + +        return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS); +} +  static int dns_scope_make_reply_packet(                  DnsScope *s,                  uint16_t id, @@ -720,7 +790,7 @@ DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key,          /* Refuse reusing transactions that completed based on cached           * data instead of a real packet, if that's requested. */          if (!cache_ok && -            IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_FAILURE) && +            IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_RCODE_FAILURE) &&              t->answer_source != DNS_TRANSACTION_NETWORK)                  return NULL; @@ -753,7 +823,11 @@ static int dns_scope_make_conflict_packet(                                                                0 /* (ad) */,                                                                0 /* (cd) */,                                                                0)); -        random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t)); + +        /* For mDNS, the transaction ID should always be 0 */ +        if (s->protocol != DNS_PROTOCOL_MDNS) +                random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t)); +          DNS_PACKET_HEADER(p)->qdcount = htobe16(1);          DNS_PACKET_HEADER(p)->arcount = htobe16(1); diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h index 15d9a1fd6f..2fc2e07deb 100644 --- a/src/resolve/resolved-dns-scope.h +++ b/src/resolve/resolved-dns-scope.h @@ -93,6 +93,7 @@ DnsServer *dns_scope_get_dns_server(DnsScope *s);  void dns_scope_next_dns_server(DnsScope *s);  int dns_scope_llmnr_membership(DnsScope *s, bool b); +int dns_scope_mdns_membership(DnsScope *s, bool b);  void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p); diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 1103a34c6f..347b1683f9 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -24,6 +24,7 @@  #include "dns-domain.h"  #include "fd-util.h"  #include "random-util.h" +#include "resolved-dns-cache.h"  #include "resolved-dns-transaction.h"  #include "resolved-llmnr.h"  #include "string-table.h" @@ -31,6 +32,7 @@  DnsTransaction* dns_transaction_free(DnsTransaction *t) {          DnsQueryCandidate *c;          DnsZoneItem *i; +        DnsTransaction *z;          if (!t)                  return NULL; @@ -58,15 +60,27 @@ DnsTransaction* dns_transaction_free(DnsTransaction *t) {          dns_resource_key_unref(t->key); -        while ((c = set_steal_first(t->query_candidates))) +        while ((c = set_steal_first(t->notify_query_candidates)))                  set_remove(c->transactions, t); +        set_free(t->notify_query_candidates); -        set_free(t->query_candidates); - -        while ((i = set_steal_first(t->zone_items))) +        while ((i = set_steal_first(t->notify_zone_items)))                  i->probe_transaction = NULL; -        set_free(t->zone_items); +        set_free(t->notify_zone_items); + +        while ((z = set_steal_first(t->notify_transactions))) +                set_remove(z->dnssec_transactions, t); +        set_free(t->notify_transactions); + +        while ((z = set_steal_first(t->dnssec_transactions))) { +                set_remove(z->notify_transactions, t); +                dns_transaction_gc(z); +        } +        set_free(t->dnssec_transactions); + +        dns_answer_unref(t->validated_keys); +        free(t->key_string);          free(t);          return NULL;  } @@ -79,7 +93,9 @@ void dns_transaction_gc(DnsTransaction *t) {          if (t->block_gc > 0)                  return; -        if (set_isempty(t->query_candidates) && set_isempty(t->zone_items)) +        if (set_isempty(t->notify_query_candidates) && +            set_isempty(t->notify_zone_items) && +            set_isempty(t->notify_transactions))                  dns_transaction_free(t);  } @@ -91,6 +107,14 @@ int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key)          assert(s);          assert(key); +        /* Don't allow looking up invalid or pseudo RRs */ +        if (!dns_type_is_valid_query(key->type)) +                return -EINVAL; + +        /* We only support the IN class */ +        if (key->class != DNS_CLASS_IN && key->class != DNS_CLASS_ANY) +                return -EOPNOTSUPP; +          r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);          if (r < 0)                  return r; @@ -105,6 +129,7 @@ int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key)          t->dns_udp_fd = -1;          t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID; +        t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;          t->key = dns_resource_key_ref(key);          /* Find a fresh, unused transaction id */ @@ -158,7 +183,9 @@ static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {          in_addr_to_string(p->family, &p->sender, &pretty); -        log_debug("Transaction on scope %s on %s/%s got tentative packet from %s", +        log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.", +                  t->id, +                  dns_transaction_key_string(t),                    dns_protocol_to_string(t->scope->protocol),                    t->scope->link ? t->scope->link->name : "*",                    t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family), @@ -174,7 +201,7 @@ static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {          log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");          t->block_gc++; -        while ((z = set_first(t->zone_items))) { +        while ((z = set_first(t->notify_zone_items))) {                  /* First, make sure the zone item drops the reference                   * to us */                  dns_zone_item_probe_stop(z); @@ -191,21 +218,25 @@ static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {  void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {          DnsQueryCandidate *c;          DnsZoneItem *z; +        DnsTransaction *d;          Iterator i;          assert(t); -        assert(!IN_SET(state, DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING)); +        assert(!DNS_TRANSACTION_IS_LIVE(state));          /* Note that this call might invalidate the query. Callers           * should hence not attempt to access the query or transaction           * after calling this function. */ -        log_debug("Transaction on scope %s on %s/%s now complete with <%s> from %s", +        log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s).", +                  t->id, +                  dns_transaction_key_string(t),                    dns_protocol_to_string(t->scope->protocol),                    t->scope->link ? t->scope->link->name : "*",                    t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family),                    dns_transaction_state_to_string(state), -                  t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source)); +                  t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source), +                  t->answer_authenticated ? "authenticated" : "unsigned");          t->state = state; @@ -214,12 +245,42 @@ void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {          /* Notify all queries that are interested, but make sure the           * transaction isn't freed while we are still looking at it */          t->block_gc++; -        SET_FOREACH(c, t->query_candidates, i) -                dns_query_candidate_ready(c); -        SET_FOREACH(z, t->zone_items, i) -                dns_zone_item_ready(z); -        t->block_gc--; +        SET_FOREACH(c, t->notify_query_candidates, i) +                dns_query_candidate_notify(c); +        SET_FOREACH(z, t->notify_zone_items, i) +                dns_zone_item_notify(z); + +        if (!set_isempty(t->notify_transactions)) { +                DnsTransaction **nt; +                unsigned j, n = 0; + +                /* We need to be careful when notifying other +                 * transactions, as that might destroy other +                 * transactions in our list. Hence, in order to be +                 * able to safely iterate through the list of +                 * transactions, take a GC lock on all of them +                 * first. Then, in a second loop, notify them, but +                 * first unlock that specific transaction. */ + +                nt = newa(DnsTransaction*, set_size(t->notify_transactions)); +                SET_FOREACH(d, t->notify_transactions, i) { +                        nt[n++] = d; +                        d->block_gc++; +                } + +                assert(n == set_size(t->notify_transactions)); + +                for (j = 0; j < n; j++) { +                        if (set_contains(t->notify_transactions, nt[j])) +                                dns_transaction_notify(nt[j], t); + +                        nt[j]->block_gc--; +                        dns_transaction_gc(nt[j]); +                } +        } + +        t->block_gc--;          dns_transaction_gc(t);  } @@ -243,7 +304,7 @@ static int on_stream_complete(DnsStream *s, int error) {          }          if (dns_packet_validate_reply(p) <= 0) { -                log_debug("Invalid LLMNR TCP packet."); +                log_debug("Invalid TCP reply packet.");                  dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);                  return 0;          } @@ -347,6 +408,77 @@ static void dns_transaction_next_dns_server(DnsTransaction *t) {          dns_scope_next_dns_server(t->scope);  } +static void dns_transaction_cache_answer(DnsTransaction *t) { +        assert(t); + +        /* For mDNS we cache whenever we get the packet, rather than +         * in each transaction. */ +        if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR)) +                return; + +        /* We never cache if this packet is from the local host, under +         * the assumption that a locally running DNS server would +         * cache this anyway, and probably knows better when to flush +         * the cache then we could. */ +        if (!DNS_PACKET_SHALL_CACHE(t->received)) +                return; + +        dns_cache_put(&t->scope->cache, +                      t->key, +                      t->answer_rcode, +                      t->answer, +                      t->answer_authenticated, +                      0, +                      t->received->family, +                      &t->received->sender); +} + +static bool dns_transaction_dnssec_is_live(DnsTransaction *t) { +        DnsTransaction *dt; +        Iterator i; + +        assert(t); + +        SET_FOREACH(dt, t->dnssec_transactions, i) +                if (DNS_TRANSACTION_IS_LIVE(dt->state)) +                        return true; + +        return false; +} + +static void dns_transaction_process_dnssec(DnsTransaction *t) { +        int r; + +        assert(t); + +        /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */ +        if (dns_transaction_dnssec_is_live(t)) +                return; + +        /* All our auxiliary DNSSEC transactions are complete now. Try +         * to validate our RRset now. */ +        r = dns_transaction_validate_dnssec(t); +        if (r < 0) { +                dns_transaction_complete(t, DNS_TRANSACTION_RESOURCES); +                return; +        } + +        if (!IN_SET(t->answer_dnssec_result, +                    _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */ +                    DNSSEC_VALIDATED,       /* Answer is signed and validated successfully */ +                    DNSSEC_UNSIGNED)) {     /* Answer is right-fully unsigned */ +                dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED); +                return; +        } + +        dns_transaction_cache_answer(t); + +        if (t->answer_rcode == DNS_RCODE_SUCCESS) +                dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS); +        else +                dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE); +} +  void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {          usec_t ts;          int r; @@ -361,7 +493,10 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {           * should hence not attempt to access the query or transaction           * after calling this function. */ +        log_debug("Processing incoming packet on transaction %" PRIu16".", t->id); +          switch (t->scope->protocol) { +          case DNS_PROTOCOL_LLMNR:                  assert(t->scope->link); @@ -384,6 +519,18 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {                  break; +        case DNS_PROTOCOL_MDNS: +                assert(t->scope->link); + +                /* For mDNS we will not accept any packets from other interfaces */ +                if (p->ifindex != t->scope->link->ifindex) +                        return; + +                if (p->family != t->scope->family) +                        return; + +                break; +          case DNS_PROTOCOL_DNS:                  break; @@ -415,12 +562,13 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {          assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);          switch (t->scope->protocol) { +          case DNS_PROTOCOL_DNS:                  assert(t->server);                  if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) { -                        /* request failed, immediately try again with reduced features */ +                        /* Request failed, immediately try again with reduced features */                          log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));                          dns_server_packet_failed(t->server, t->current_features); @@ -436,16 +584,24 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {                          dns_server_packet_received(t->server, t->current_features, ts - t->start_usec, p->size);                  break; +          case DNS_PROTOCOL_LLMNR:          case DNS_PROTOCOL_MDNS:                  dns_scope_packet_received(t->scope, ts - t->start_usec); -                  break; +          default: -                break; +                assert_not_reached("Invalid DNS protocol.");          }          if (DNS_PACKET_TC(p)) { + +                /* Truncated packets for mDNS are not allowed. Give up immediately. */ +                if (t->scope->protocol == DNS_PROTOCOL_MDNS) { +                        dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY); +                        return; +                } +                  /* Response was truncated, let's try again with good old TCP */                  r = dns_transaction_open_tcp(t);                  if (r == -ESRCH) { @@ -474,41 +630,46 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {                  }          } -        /* Parse and update the cache */ +        /* Parse message, if it isn't parsed yet. */          r = dns_packet_extract(p);          if (r < 0) {                  dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);                  return;          } -        /* Only consider responses with equivalent query section to the request */ -        if (p->question->n_keys != 1 || dns_resource_key_equal(p->question->keys[0], t->key) <= 0) { -                dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY); -                return; +        if (IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR)) { + +                /* Only consider responses with equivalent query section to the request */ +                r = dns_packet_is_reply_for(p, t->key); +                if (r < 0) { +                        dns_transaction_complete(t, DNS_TRANSACTION_RESOURCES); +                        return; +                } +                if (r == 0) { +                        dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY); +                        return; +                } + +                /* Install the answer as answer to the transaction */ +                dns_answer_unref(t->answer); +                t->answer = dns_answer_ref(p->answer); +                t->answer_rcode = DNS_PACKET_RCODE(p); +                t->answer_authenticated = false; + +                r = dns_transaction_request_dnssec_keys(t); +                if (r < 0) { +                        dns_transaction_complete(t, DNS_TRANSACTION_RESOURCES); +                        return; +                } +                if (r > 0) { +                        /* There are DNSSEC transactions pending now. Update the state accordingly. */ +                        t->state = DNS_TRANSACTION_VALIDATING; +                        dns_transaction_stop(t); +                        return; +                }          } -        /* Install the answer as answer to the transaction */ -        dns_answer_unref(t->answer); -        t->answer = dns_answer_ref(p->answer); -        t->answer_rcode = DNS_PACKET_RCODE(p); -        t->answer_authenticated = t->scope->dnssec_mode == DNSSEC_TRUST && DNS_PACKET_AD(p); - -        /* According to RFC 4795, section 2.9. only the RRs from the answer section shall be cached */ -        if (DNS_PACKET_SHALL_CACHE(p)) -                dns_cache_put(&t->scope->cache, -                              t->key, -                              DNS_PACKET_RCODE(p), -                              p->answer, -                              DNS_PACKET_ANCOUNT(p), -                              t->answer_authenticated, -                              0, -                              p->family, -                              &p->sender); - -        if (DNS_PACKET_RCODE(p) == DNS_RCODE_SUCCESS) -                dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS); -        else -                dns_transaction_complete(t, DNS_TRANSACTION_FAILURE); +        dns_transaction_process_dnssec(t);  }  static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) { @@ -527,7 +688,7 @@ static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *use              DNS_PACKET_ID(p) == t->id)                  dns_transaction_process_reply(t, p);          else -                log_debug("Invalid DNS packet."); +                log_debug("Invalid DNS packet, ignoring.");          return 0;  } @@ -571,23 +732,30 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat          assert(s);          assert(t); -        /* Timeout reached? Increase the timeout for the server used */ -        switch (t->scope->protocol) { -        case DNS_PROTOCOL_DNS: -                assert(t->server); +        if (!t->initial_jitter_scheduled || t->initial_jitter_elapsed) { +                /* Timeout reached? Increase the timeout for the server used */ +                switch (t->scope->protocol) { +                case DNS_PROTOCOL_DNS: +                        assert(t->server); -                dns_server_packet_lost(t->server, t->current_features, usec - t->start_usec); +                        dns_server_packet_lost(t->server, t->current_features, usec - t->start_usec); -                break; -        case DNS_PROTOCOL_LLMNR: -        case DNS_PROTOCOL_MDNS: -                dns_scope_packet_lost(t->scope, usec - t->start_usec); +                        break; +                case DNS_PROTOCOL_LLMNR: +                case DNS_PROTOCOL_MDNS: +                        dns_scope_packet_lost(t->scope, usec - t->start_usec); -                break; -        default: -                assert_not_reached("Invalid DNS protocol."); +                        break; +                default: +                        assert_not_reached("Invalid DNS protocol."); +                } + +                if (t->initial_jitter_scheduled) +                        t->initial_jitter_elapsed = true;          } +        log_debug("Timeout reached on transaction %" PRIu16 ".", t->id); +          /* ...and try again with a new server */          dns_transaction_next_dns_server(t); @@ -598,38 +766,6 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat          return 0;  } -static int dns_transaction_make_packet(DnsTransaction *t) { -        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; -        int r; - -        assert(t); - -        if (t->sent) -                return 0; - -        r = dns_packet_new_query(&p, t->scope->protocol, 0, t->scope->dnssec_mode == DNSSEC_YES); -        if (r < 0) -                return r; - -        r = dns_scope_good_key(t->scope, t->key); -        if (r < 0) -                return r; -        if (r == 0) -                return -EDOM; - -        r = dns_packet_append_key(p, t->key, NULL); -        if (r < 0) -                return r; - -        DNS_PACKET_HEADER(p)->qdcount = htobe16(1); -        DNS_PACKET_HEADER(p)->id = t->id; - -        t->sent = p; -        p = NULL; - -        return 0; -} -  static usec_t transaction_get_resend_timeout(DnsTransaction *t) {          assert(t);          assert(t->scope); @@ -639,17 +775,18 @@ static usec_t transaction_get_resend_timeout(DnsTransaction *t) {                  assert(t->server);                  return t->server->resend_timeout; -        case DNS_PROTOCOL_LLMNR:          case DNS_PROTOCOL_MDNS: +                assert(t->n_attempts > 0); +                return (1 << (t->n_attempts - 1)) * USEC_PER_SEC; +        case DNS_PROTOCOL_LLMNR:                  return t->scope->resend_timeout;          default:                  assert_not_reached("Invalid DNS protocol.");          }  } -int dns_transaction_go(DnsTransaction *t) { +static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {          bool had_stream; -        usec_t ts;          int r;          assert(t); @@ -658,11 +795,6 @@ int dns_transaction_go(DnsTransaction *t) {          dns_transaction_stop(t); -        log_debug("Excercising transaction on scope %s on %s/%s", -                  dns_protocol_to_string(t->scope->protocol), -                  t->scope->link ? t->scope->link->name : "*", -                  t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family)); -          if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {                  dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);                  return 0; @@ -675,8 +807,6 @@ int dns_transaction_go(DnsTransaction *t) {                  return 0;          } -        assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0); -          t->n_attempts++;          t->start_usec = ts;          t->received = dns_packet_unref(t->received); @@ -700,7 +830,7 @@ int dns_transaction_go(DnsTransaction *t) {          /* Check the zone, but only if this transaction is not used           * for probing or verifying a zone item. */ -        if (set_isempty(t->zone_items)) { +        if (set_isempty(t->notify_zone_items)) {                  r = dns_zone_lookup(&t->scope->zone, t->key, &t->answer, NULL, NULL);                  if (r < 0) @@ -716,7 +846,7 @@ int dns_transaction_go(DnsTransaction *t) {          /* Check the cache, but only if this transaction is not used           * for probing or verifying a zone item. */ -        if (set_isempty(t->zone_items)) { +        if (set_isempty(t->notify_zone_items)) {                  /* Before trying the cache, let's make sure we figured out a                   * server to use. Should this cause a change of server this @@ -734,36 +864,210 @@ int dns_transaction_go(DnsTransaction *t) {                          if (t->answer_rcode == DNS_RCODE_SUCCESS)                                  dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);                          else -                                dns_transaction_complete(t, DNS_TRANSACTION_FAILURE); +                                dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);                          return 0;                  }          } -        if (t->scope->protocol == DNS_PROTOCOL_LLMNR && !t->initial_jitter) { -                usec_t jitter; +        return 1; +} + +static int dns_transaction_make_packet_mdns(DnsTransaction *t) { + +        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; +        bool add_known_answers = false; +        DnsTransaction *other; +        unsigned qdcount; +        usec_t ts; +        int r; + +        assert(t); +        assert(t->scope->protocol == DNS_PROTOCOL_MDNS); + +        /* Discard any previously prepared packet, so we can start over and coalesce again */ +        t->sent = dns_packet_unref(t->sent); + +        r = dns_packet_new_query(&p, t->scope->protocol, 0, false); +        if (r < 0) +                return r; + +        r = dns_packet_append_key(p, t->key, NULL); +        if (r < 0) +                return r; + +        qdcount = 1; + +        if (dns_key_is_shared(t->key)) +                add_known_answers = true; + +        /* +         * For mDNS, we want to coalesce as many open queries in pending transactions into one single +         * query packet on the wire as possible. To achieve that, we iterate through all pending transactions +         * in our current scope, and see whether their timing contraints allow them to be sent. +         */ + +        assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0); + +        LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) { + +                /* Skip ourselves */ +                if (other == t) +                        continue; + +                if (other->state != DNS_TRANSACTION_PENDING) +                        continue; + +                if (other->next_attempt_after > ts) +                        continue; + +                if (qdcount >= UINT16_MAX) +                        break; + +                r = dns_packet_append_key(p, other->key, NULL); + +                /* +                 * If we can't stuff more questions into the packet, just give up. +                 * One of the 'other' transactions will fire later and take care of the rest. +                 */ +                if (r == -EMSGSIZE) +                        break; + +                if (r < 0) +                        return r; + +                r = dns_transaction_prepare(other, ts); +                if (r <= 0) +                        continue; + +                ts += transaction_get_resend_timeout(other); + +                r = sd_event_add_time( +                                other->scope->manager->event, +                                &other->timeout_event_source, +                                clock_boottime_or_monotonic(), +                                ts, 0, +                                on_transaction_timeout, other); +                if (r < 0) +                        return r; + +                other->state = DNS_TRANSACTION_PENDING; +                other->next_attempt_after = ts; + +                qdcount ++; + +                if (dns_key_is_shared(other->key)) +                        add_known_answers = true; +        } + +        DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount); + +        /* Append known answer section if we're asking for any shared record */ +        if (add_known_answers) { +                r = dns_cache_export_shared_to_packet(&t->scope->cache, p); +                if (r < 0) +                        return r; +        } + +        t->sent = p; +        p = NULL; + +        return 0; +} + +static int dns_transaction_make_packet(DnsTransaction *t) { +        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; +        int r; + +        assert(t); + +        if (t->scope->protocol == DNS_PROTOCOL_MDNS) +                return dns_transaction_make_packet_mdns(t); + +        if (t->sent) +                return 0; + +        r = dns_packet_new_query(&p, t->scope->protocol, 0, t->scope->dnssec_mode == DNSSEC_YES); +        if (r < 0) +                return r; + +        r = dns_scope_good_key(t->scope, t->key); +        if (r < 0) +                return r; +        if (r == 0) +                return -EDOM; + +        r = dns_packet_append_key(p, t->key, NULL); +        if (r < 0) +                return r; + +        DNS_PACKET_HEADER(p)->qdcount = htobe16(1); +        DNS_PACKET_HEADER(p)->id = t->id; + +        t->sent = p; +        p = NULL; + +        return 0; +} + +int dns_transaction_go(DnsTransaction *t) { +        usec_t ts; +        int r; + +        assert(t); + +        assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0); + +        r = dns_transaction_prepare(t, ts); +        if (r <= 0) +                return r; + +        log_debug("Excercising transaction %" PRIu16 " for <%s> on scope %s on %s/%s.", +                  t->id, +                  dns_transaction_key_string(t), +                  dns_protocol_to_string(t->scope->protocol), +                  t->scope->link ? t->scope->link->name : "*", +                  t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family)); + +        if (!t->initial_jitter_scheduled && +            (t->scope->protocol == DNS_PROTOCOL_LLMNR || +             t->scope->protocol == DNS_PROTOCOL_MDNS)) { +                usec_t jitter, accuracy;                  /* RFC 4795 Section 2.7 suggests all queries should be                   * delayed by a random time from 0 to JITTER_INTERVAL. */ -                t->initial_jitter = true; +                t->initial_jitter_scheduled = true;                  random_bytes(&jitter, sizeof(jitter)); -                jitter %= LLMNR_JITTER_INTERVAL_USEC; + +                switch (t->scope->protocol) { +                case DNS_PROTOCOL_LLMNR: +                        jitter %= LLMNR_JITTER_INTERVAL_USEC; +                        accuracy = LLMNR_JITTER_INTERVAL_USEC; +                        break; +                case DNS_PROTOCOL_MDNS: +                        jitter %= MDNS_JITTER_RANGE_USEC; +                        jitter += MDNS_JITTER_MIN_USEC; +                        accuracy = MDNS_JITTER_RANGE_USEC; +                        break; +                default: +                        assert_not_reached("bad protocol"); +                }                  r = sd_event_add_time(                                  t->scope->manager->event,                                  &t->timeout_event_source,                                  clock_boottime_or_monotonic(), -                                ts + jitter, -                                LLMNR_JITTER_INTERVAL_USEC, +                                ts + jitter, accuracy,                                  on_transaction_timeout, t);                  if (r < 0)                          return r;                  t->n_attempts = 0; +                t->next_attempt_after = ts;                  t->state = DNS_TRANSACTION_PENDING; -                log_debug("Delaying LLMNR transaction for " USEC_FMT "us.", jitter); +                log_debug("Delaying %s transaction for " USEC_FMT "us.", dns_protocol_to_string(t->scope->protocol), jitter);                  return 0;          } @@ -810,23 +1114,1002 @@ int dns_transaction_go(DnsTransaction *t) {                  return dns_transaction_go(t);          } +        ts += transaction_get_resend_timeout(t); +          r = sd_event_add_time(                          t->scope->manager->event,                          &t->timeout_event_source,                          clock_boottime_or_monotonic(), -                        ts + transaction_get_resend_timeout(t), 0, +                        ts, 0,                          on_transaction_timeout, t);          if (r < 0)                  return r;          t->state = DNS_TRANSACTION_PENDING; +        t->next_attempt_after = ts; + +        return 1; +} + +static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) { +        DnsTransaction *aux; +        int r; + +        assert(t); +        assert(ret); +        assert(key); + +        aux = dns_scope_find_transaction(t->scope, key, true); +        if (!aux) { +                r = dns_transaction_new(&aux, t->scope, key); +                if (r < 0) +                        return r; +        } else { +                if (set_contains(t->dnssec_transactions, aux)) { +                        *ret = aux; +                        return 0; +                } +        } + +        r = set_ensure_allocated(&t->dnssec_transactions, NULL); +        if (r < 0) +                goto gc; + +        r = set_ensure_allocated(&aux->notify_transactions, NULL); +        if (r < 0) +                goto gc; + +        r = set_put(t->dnssec_transactions, aux); +        if (r < 0) +                goto gc; + +        r = set_put(aux->notify_transactions, t); +        if (r < 0) { +                (void) set_remove(t->dnssec_transactions, aux); +                goto gc; +        } + +        *ret = aux;          return 1; + +gc: +        dns_transaction_gc(aux); +        return r; +} + +static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) { +        _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL; +        DnsTransaction *aux; +        int r; + +        assert(t); +        assert(key); + +        r = dns_resource_key_equal(t->key, key); +        if (r < 0) +                return r; +        if (r > 0) /* Don't go in circles */ +                return 0; + +        /* Try to get the data from the trust anchor */ +        r = dns_trust_anchor_lookup(&t->scope->manager->trust_anchor, key, &a); +        if (r < 0) +                return r; +        if (r > 0) { +                r = dns_answer_extend(&t->validated_keys, a); +                if (r < 0) +                        return r; + +                return 0; +        } + +        /* This didn't work, ask for it via the network/cache then. */ +        r = dns_transaction_add_dnssec_transaction(t, key, &aux); +        if (r < 0) +                return r; + +        if (aux->state == DNS_TRANSACTION_NULL) { +                r = dns_transaction_go(aux); +                if (r < 0) +                        return r; +        } + +        return 0; +} + +static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) { +        int r; + +        assert(t); + +        /* Checks whether the answer is positive, i.e. either a direct +         * answer to the question, or a CNAME/DNAME for it */ + +        r = dns_answer_match_key(t->answer, t->key, flags); +        if (r != 0) +                return r; + +        r = dns_answer_find_cname_or_dname(t->answer, t->key, NULL, flags); +        if (r != 0) +                return r; + +        return false; +} + +static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) { +        int r; + +        assert(t); + +        /* Checks whether the answer is negative, and lacks NSEC/NSEC3 +         * RRs to prove it */ + +        r = dns_transaction_has_positive_answer(t, NULL); +        if (r < 0) +                return r; +        if (r > 0) +                return false; + +        /* The answer does not contain any RRs that match to the +         * question. If so, let's see if there are any NSEC/NSEC3 RRs +         * included. If not, the answer is unsigned. */ + +        r = dns_answer_contains_nsec_or_nsec3(t->answer); +        if (r < 0) +                return r; +        if (r > 0) +                return false; + +        return true; +} + +static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) { +        int r; + +        assert(t); +        assert(rr); + +        /* Check if the specified RR is the "primary" response, +         * i.e. either matches the question precisely or is a +         * CNAME/DNAME for it, or is any kind of NSEC/NSEC3 RR */ + +        r = dns_resource_key_match_rr(t->key, rr, NULL); +        if (r != 0) +                return r; + +        r = dns_resource_key_match_cname_or_dname(t->key, rr->key, NULL); +        if (r != 0) +                return r; + +        if (rr->key->type == DNS_TYPE_NSEC3) { +                const char *p; + +                p = DNS_RESOURCE_KEY_NAME(rr->key); +                r = dns_name_parent(&p); +                if (r < 0) +                        return r; +                if (r > 0) { +                        r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), p); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                return true; +                } +        } + +        return rr->key->type == DNS_TYPE_NSEC; +} + +int dns_transaction_request_dnssec_keys(DnsTransaction *t) { +        DnsResourceRecord *rr; + +        int r; + +        assert(t); + +        /* +         * Retrieve all auxiliary RRs for the answer we got, so that +         * we can verify signatures or prove that RRs are rightfully +         * unsigned. Specifically: +         * +         * - For RRSIG we get the matching DNSKEY +         * - For DNSKEY we get the matching DS +         * - For unsigned SOA/NS we get the matching DS +         * - For unsigned CNAME/DNAME we get the parent SOA RR +         * - For other unsigned RRs we get the matching SOA RR +         * - For SOA/NS/DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR +         * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR +         */ + +        if (t->scope->dnssec_mode != DNSSEC_YES) +                return 0; + +        DNS_ANSWER_FOREACH(rr, t->answer) { + +                if (dns_type_is_pseudo(rr->key->type)) +                        continue; + +                switch (rr->key->type) { + +                case DNS_TYPE_RRSIG: { +                        /* For each RRSIG we request the matching DNSKEY */ +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL; + +                        /* If this RRSIG is about a DNSKEY RR and the +                         * signer is the same as the owner, then we +                         * already have the DNSKEY, and we don't have +                         * to look for more. */ +                        if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) { +                                r = dns_name_equal(rr->rrsig.signer, DNS_RESOURCE_KEY_NAME(rr->key)); +                                if (r < 0) +                                        return r; +                                if (r > 0) +                                        continue; +                        } + +                        /* If the signer is not a parent of our +                         * original query, then this is about an +                         * auxiliary RRset, but not anything we asked +                         * for. In this case we aren't interested, +                         * because we don't want to request additional +                         * RRs for stuff we didn't really ask for, and +                         * also to avoid request loops, where +                         * additional RRs from one transaction result +                         * in another transaction whose additonal RRs +                         * point back to the original transaction, and +                         * we deadlock. */ +                        r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), rr->rrsig.signer); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer); +                        if (!dnskey) +                                return -ENOMEM; + +                        log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").", t->id, DNS_RESOURCE_KEY_NAME(rr->key), rr->rrsig.key_tag); +                        r = dns_transaction_request_dnssec_rr(t, dnskey); +                        if (r < 0) +                                return r; +                        break; +                } + +                case DNS_TYPE_DNSKEY: { +                        /* For each DNSKEY we request the matching DS */ +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL; + +                        /* If the DNSKEY we are looking at is not for +                         * zone we are interested in, nor any of its +                         * parents, we aren't interested, and don't +                         * request it. After all, we don't want to end +                         * up in request loops, and want to keep +                         * additional traffic down. */ + +                        r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), DNS_RESOURCE_KEY_NAME(rr->key)); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, DNS_RESOURCE_KEY_NAME(rr->key)); +                        if (!ds) +                                return -ENOMEM; + +                        log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").", t->id, DNS_RESOURCE_KEY_NAME(rr->key), dnssec_keytag(rr)); +                        r = dns_transaction_request_dnssec_rr(t, ds); +                        if (r < 0) +                                return r; + +                        break; +                } + +                case DNS_TYPE_DS: +                case DNS_TYPE_NSEC: +                case DNS_TYPE_NSEC3: +                        /* Don't acquire anything for +                         * DS/NSEC/NSEC3. We require they come with an +                         * RRSIG without us asking for anything, and +                         * that's sufficient. */ +                        break; + +                case DNS_TYPE_SOA: +                case DNS_TYPE_NS: { +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL; + +                        /* For an unsigned SOA or NS, try to acquire +                         * the matching DS RR, as we are at a zone cut +                         * then, and whether a DS exists tells us +                         * whether the zone is signed. Do so only if +                         * this RR matches our original question, +                         * however. */ + +                        r = dns_resource_key_match_rr(t->key, rr, NULL); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        r = dnssec_has_rrsig(t->answer, rr->key); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                continue; + +                        ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, DNS_RESOURCE_KEY_NAME(rr->key)); +                        if (!ds) +                                return -ENOMEM; + +                        log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).", t->id, DNS_RESOURCE_KEY_NAME(rr->key)); +                        r = dns_transaction_request_dnssec_rr(t, ds); +                        if (r < 0) +                                return r; + +                        break; +                } + +                case DNS_TYPE_CNAME: +                case DNS_TYPE_DNAME: { +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; +                        const char *name; + +                        /* CNAMEs and DNAMEs cannot be located at a +                         * zone apex, hence ask for the parent SOA for +                         * unsigned CNAME/DNAME RRs, maybe that's the +                         * apex. But do all that only if this is +                         * actually a response to our original +                         * question. */ + +                        r = dns_transaction_is_primary_response(t, rr); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        r = dnssec_has_rrsig(t->answer, rr->key); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                continue; + +                        name = DNS_RESOURCE_KEY_NAME(rr->key); +                        r = dns_name_parent(&name); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); +                        if (!soa) +                                return -ENOMEM; + +                        log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME RRset).", t->id, DNS_RESOURCE_KEY_NAME(rr->key)); +                        r = dns_transaction_request_dnssec_rr(t, soa); +                        if (r < 0) +                                return r; + +                        break; +                } + +                default: { +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; + +                        /* For other unsigned RRsets, look for proof +                         * the zone is unsigned, by requesting the SOA +                         * RR of the zone. However, do so only if they +                         * are directly relevant to our original +                         * question. */ + +                        r = dns_transaction_is_primary_response(t, rr); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        r = dnssec_has_rrsig(t->answer, rr->key); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                continue; + +                        soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, DNS_RESOURCE_KEY_NAME(rr->key)); +                        if (!soa) +                                return -ENOMEM; + +                        log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset).", t->id, DNS_RESOURCE_KEY_NAME(rr->key)); +                        r = dns_transaction_request_dnssec_rr(t, soa); +                        if (r < 0) +                                return r; +                        break; +                }} +        } + +        /* Above, we requested everything necessary to validate what +         * we got. Now, let's request what we need to validate what we +         * didn't get... */ + +        r = dns_transaction_has_unsigned_negative_answer(t); +        if (r < 0) +                return r; +        if (r > 0) { +                const char *name; + +                name = DNS_RESOURCE_KEY_NAME(t->key); + +                /* If this was a SOA or NS request, then this +                 * indicates that we are not at a zone apex, hence ask +                 * the parent name instead. If this was a DS request, +                 * then it's signed when the parent zone is signed, +                 * hence ask the parent in that case, too. */ + +                if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) { +                        r = dns_name_parent(&name); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS/DS response).", t->id, DNS_RESOURCE_KEY_NAME(t->key)); +                        else +                                name = NULL; +                } else +                        log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).", t->id, DNS_RESOURCE_KEY_NAME(t->key)); + +                if (name) { +                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; + +                        soa = dns_resource_key_new(t->key->class, DNS_TYPE_SOA, name); +                        if (!soa) +                                return -ENOMEM; + +                        r = dns_transaction_request_dnssec_rr(t, soa); +                        if (r < 0) +                                return r; +                } +        } + +        return dns_transaction_dnssec_is_live(t); +} + +void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) { +        int r; + +        assert(t); +        assert(source); + +        if (!IN_SET(t->state, DNS_TRANSACTION_PENDING, DNS_TRANSACTION_VALIDATING)) +                return; + +        /* Invoked whenever any of our auxiliary DNSSEC transactions +           completed its work. We copy any RRs from that transaction +           over into our list of validated keys -- but only if the +           answer is authenticated. + +           Note that we fail our transaction if the auxiliary +           transaction failed, except on NXDOMAIN. This is because +           some broken DNS servers (Akamai...) will return NXDOMAIN +           for empty non-terminals. */ + +        switch (source->state) { + +        case DNS_TRANSACTION_DNSSEC_FAILED: + +                log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(source->answer_dnssec_result)); +                t->answer_dnssec_result = source->answer_dnssec_result; /* Copy error code over */ +                dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED); +                break; + +        case DNS_TRANSACTION_RCODE_FAILURE: + +                if (source->answer_rcode != DNS_RCODE_NXDOMAIN) { +                        log_debug("Auxiliary DNSSEC RR query failed with rcode=%i.", source->answer_rcode); +                        goto fail; +                } + +                /* fall-through: NXDOMAIN is good enough for us */ + +        case DNS_TRANSACTION_SUCCESS: +                if (source->answer_authenticated) { +                        r = dns_answer_extend(&t->validated_keys, source->answer); +                        if (r < 0) { +                                log_error_errno(r, "Failed to merge validated DNSSEC key data: %m"); +                                goto fail; +                        } +                } + +                /* If the state is still PENDING, we are still in the loop +                 * that adds further DNSSEC transactions, hence don't check if +                 * we are ready yet. If the state is VALIDATING however, we +                 * should check if we are complete now. */ +                if (t->state == DNS_TRANSACTION_VALIDATING) +                        dns_transaction_process_dnssec(t); +                break; + +        default: +                log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(source->state)); +                goto fail; +        } + +        return; + +fail: +        t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY; +        dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED); +} + +static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) { +        DnsResourceRecord *rr; +        int ifindex, r; + +        assert(t); + +        /* Add all DNSKEY RRs from the answer that are validated by DS +         * RRs from the list of validated keys to the list of +         * validated keys. */ + +        DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) { + +                r = dnssec_verify_dnskey_search(rr, t->validated_keys); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                /* If so, the DNSKEY is validated too. */ +                r = dns_answer_add_extend(&t->validated_keys, rr, ifindex, DNS_ANSWER_AUTHENTICATED); +                if (r < 0) +                        return r; +        } + +        return 0; +} + +static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) { +        int r; + +        assert(t); +        assert(rr); + +        /* Checks if the RR we are looking for must be signed with an +         * RRSIG. This is used for positive responses. */ + +        if (t->scope->dnssec_mode != DNSSEC_YES) +                return false; + +        if (dns_type_is_pseudo(rr->key->type)) +                return -EINVAL; + +        switch (rr->key->type) { + +        case DNS_TYPE_DNSKEY: +        case DNS_TYPE_DS: +        case DNS_TYPE_NSEC: +        case DNS_TYPE_NSEC3: +                /* We never consider DNSKEY, DS, NSEC, NSEC3 RRs if they aren't signed. */ +                return true; + +        case DNS_TYPE_RRSIG: +                /* RRSIGs are the signatures themselves, they need no signing. */ +                return false; + +        case DNS_TYPE_SOA: +        case DNS_TYPE_NS: { +                DnsTransaction *dt; +                Iterator i; + +                /* For SOA or NS RRs we look for a matching DS transaction, or a SOA transaction of the parent */ + +                SET_FOREACH(dt, t->dnssec_transactions, i) { + +                        if (dt->key->class != rr->key->class) +                                continue; +                        if (dt->key->type != DNS_TYPE_DS) +                                continue; + +                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), DNS_RESOURCE_KEY_NAME(rr->key)); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        /* We found a DS transactions for the SOA/NS +                         * RRs we are looking at. If it discovered signed DS +                         * RRs, then we need to be signed, too. */ + +                        if (!dt->answer_authenticated) +                                return false; + +                        return dns_answer_match_key(dt->answer, dt->key, NULL); +                } + +                /* We found nothing that proves this is safe to leave +                 * this unauthenticated, hence ask inist on +                 * authentication. */ +                return true; +        } + +        case DNS_TYPE_CNAME: +        case DNS_TYPE_DNAME: { +                const char *parent = NULL; +                DnsTransaction *dt; +                Iterator i; + +                /* CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA. */ + +                SET_FOREACH(dt, t->dnssec_transactions, i) { + +                        if (dt->key->class != rr->key->class) +                                continue; +                        if (dt->key->type != DNS_TYPE_SOA) +                                continue; + +                        if (!parent) { +                                parent = DNS_RESOURCE_KEY_NAME(rr->key); +                                r = dns_name_parent(&parent); +                                if (r < 0) +                                        return r; +                                if (r == 0) { +                                        /* A CNAME/DNAME without a parent? That's sooo weird. */ +                                        log_debug("Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id); +                                        return -EBADMSG; +                                } +                        } + +                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), parent); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        return t->answer_authenticated; +                } + +                return true; +        } + +        default: { +                DnsTransaction *dt; +                Iterator i; + +                /* Any other kind of RR. Let's see if our SOA lookup was authenticated */ + +                SET_FOREACH(dt, t->dnssec_transactions, i) { + +                        if (dt->key->class != rr->key->class) +                                continue; +                        if (dt->key->type != DNS_TYPE_SOA) +                                continue; + +                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), DNS_RESOURCE_KEY_NAME(rr->key)); +                        if (r < 0) +                                return r; +                        if (r == 0) +                                continue; + +                        /* We found the transaction that was supposed to find +                         * the SOA RR for us. It was successful, but found no +                         * RR for us. This means we are not at a zone cut. In +                         * this case, we require authentication if the SOA +                         * lookup was authenticated too. */ +                        return t->answer_authenticated; +                } + +                return true; +        }} +} + +static int dns_transaction_requires_nsec(DnsTransaction *t) { +        DnsTransaction *dt; +        const char *name; +        Iterator i; +        int r; + +        assert(t); + +        /* Checks if we need to insist on NSEC/NSEC3 RRs for proving +         * this negative reply */ + +        if (t->scope->dnssec_mode != DNSSEC_YES) +                return false; + +        if (dns_type_is_pseudo(t->key->type)) +                return -EINVAL; + +        name = DNS_RESOURCE_KEY_NAME(t->key); + +        if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) { + +                /* We got a negative reply for this SOA/NS lookup? If +                 * so, then we are not at a zone apex, and thus should +                 * look at the result of the parent SOA lookup. +                 * +                 * We got a negative reply for this DS lookup? DS RRs +                 * are signed when their parent zone is signed, hence +                 * also check the parent SOA in this case. */ + +                r = dns_name_parent(&name); +                if (r < 0) +                        return r; +                if (r == 0) +                        return true; +        } + +        /* For all other RRs we check the SOA on the same level to see +         * if it's signed. */ + +        SET_FOREACH(dt, t->dnssec_transactions, i) { + +                if (dt->key->class != t->key->class) +                        continue; +                if (dt->key->type != DNS_TYPE_SOA) +                        continue; + +                r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), name); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                return dt->answer_authenticated; +        } + +        /* If in doubt, require NSEC/NSEC3 */ +        return true; +} + +int dns_transaction_validate_dnssec(DnsTransaction *t) { +        _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL; +        bool dnskeys_finalized = false; +        DnsResourceRecord *rr; +        DnsAnswerFlags flags; +        int r; + +        assert(t); + +        /* We have now collected all DS and DNSKEY RRs in +         * t->validated_keys, let's see which RRs we can now +         * authenticate with that. */ + +        if (t->scope->dnssec_mode != DNSSEC_YES) +                return 0; + +        /* Already validated */ +        if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID) +                return 0; + +        /* Our own stuff needs no validation */ +        if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) { +                t->answer_dnssec_result = DNSSEC_VALIDATED; +                t->answer_authenticated = true; +                return 0; +        } + +        /* Cached stuff is not affected by validation. */ +        if (t->answer_source != DNS_TRANSACTION_NETWORK) +                return 0; + +        log_debug("Validating response from transaction %" PRIu16 " (%s).", t->id, dns_transaction_key_string(t)); + +        /* First see if there are DNSKEYs we already known a validated DS for. */ +        r = dns_transaction_validate_dnskey_by_ds(t); +        if (r < 0) +                return r; + +        for (;;) { +                bool changed = false; + +                DNS_ANSWER_FOREACH(rr, t->answer) { +                        DnssecResult result; + +                        if (rr->key->type == DNS_TYPE_RRSIG) +                                continue; + +                        r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result); +                        if (r < 0) +                                return r; + +                        if (log_get_max_level() >= LOG_DEBUG) { +                                _cleanup_free_ char *rrs = NULL; + +                                (void) dns_resource_record_to_string(rr, &rrs); +                                log_debug("Looking at %s: %s", rrs ? strstrip(rrs) : "???", dnssec_result_to_string(result)); +                        } + +                        if (result == DNSSEC_VALIDATED) { + +                                if (rr->key->type == DNS_TYPE_DNSKEY) { +                                        /* If we just validated a +                                         * DNSKEY RRset, then let's +                                         * add these keys to the set +                                         * of validated keys for this +                                         * transaction. */ + +                                        r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED); +                                        if (r < 0) +                                                return r; +                                } + +                                /* Add the validated RRset to the new +                                 * list of validated RRsets, and +                                 * remove it from the unvalidated +                                 * RRsets. We mark the RRset as +                                 * authenticated and cacheable. */ +                                r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE); +                                if (r < 0) +                                        return r; + +                                /* Exit the loop, we dropped something from the answer, start from the beginning */ +                                changed = true; +                                break; + +                        } else if (dnskeys_finalized) { +                                /* If we haven't read all DNSKEYs yet +                                 * a negative result of the validation +                                 * is irrelevant, as there might be +                                 * more DNSKEYs coming. */ + +                                if (result == DNSSEC_NO_SIGNATURE) { +                                        r = dns_transaction_requires_rrsig(t, rr); +                                        if (r < 0) +                                                return r; +                                        if (r == 0) { +                                                /* Data does not require signing. In that case, just copy it over, +                                                 * but remember that this is by no means authenticated.*/ +                                                r = dns_answer_move_by_key(&validated, &t->answer, rr->key, 0); +                                                if (r < 0) +                                                        return r; + +                                                changed = true; +                                                break; +                                        } +                                } + +                                r = dns_transaction_is_primary_response(t, rr); +                                if (r < 0) +                                        return r; +                                if (r > 0) { +                                        /* This is a primary response +                                         * to our question, and it +                                         * failed validation. That's +                                         * fatal. */ +                                        t->answer_dnssec_result = result; +                                        return 0; +                                } + +                                /* This is just some auxiliary +                                 * data. Just remove the RRset and +                                 * continue. */ +                                r = dns_answer_remove_by_key(&t->answer, rr->key); +                                if (r < 0) +                                        return r; + +                                /* Exit the loop, we dropped something from the answer, start from the beginning */ +                                changed = true; +                                break; +                        } +                } + +                if (changed) +                        continue; + +                if (!dnskeys_finalized) { +                        /* OK, now we know we have added all DNSKEYs +                         * we possibly could to our validated +                         * list. Now run the whole thing once more, +                         * and strip everything we still cannot +                         * validate. +                         */ +                        dnskeys_finalized = true; +                        continue; +                } + +                /* We're done */ +                break; +        } + +        dns_answer_unref(t->answer); +        t->answer = validated; +        validated = NULL; + +        /* At this point the answer only contains validated +         * RRsets. Now, let's see if it actually answers the question +         * we asked. If so, great! If it doesn't, then see if +         * NSEC/NSEC3 can prove this. */ +        r = dns_transaction_has_positive_answer(t, &flags); +        if (r > 0) { +                /* Yes, it answers the question! */ + +                if (flags & DNS_ANSWER_AUTHENTICATED) { +                        /* The answer is fully authenticated, yay. */ +                        t->answer_dnssec_result = DNSSEC_VALIDATED; +                        t->answer_rcode = DNS_RCODE_SUCCESS; +                        t->answer_authenticated = true; +                } else { +                        /* The answer is not fully authenticated. */ +                        t->answer_dnssec_result = DNSSEC_UNSIGNED; +                        t->answer_authenticated = false; +                } + +        } else if (r == 0) { +                DnssecNsecResult nr; + +                /* Bummer! Let's check NSEC/NSEC3 */ +                r = dnssec_test_nsec(t->answer, t->key, &nr); +                if (r < 0) +                        return r; + +                switch (nr) { + +                case DNSSEC_NSEC_NXDOMAIN: +                        /* NSEC proves the domain doesn't exist. Very good. */ +                        log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); +                        t->answer_dnssec_result = DNSSEC_VALIDATED; +                        t->answer_rcode = DNS_RCODE_NXDOMAIN; +                        t->answer_authenticated = true; +                        break; + +                case DNSSEC_NSEC_NODATA: +                        /* NSEC proves that there's no data here, very good. */ +                        log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); +                        t->answer_dnssec_result = DNSSEC_VALIDATED; +                        t->answer_rcode = DNS_RCODE_SUCCESS; +                        t->answer_authenticated = true; +                        break; + +                case DNSSEC_NSEC_OPTOUT: +                        /* NSEC3 says the data might not be signed */ +                        log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); +                        t->answer_dnssec_result = DNSSEC_UNSIGNED; +                        t->answer_authenticated = false; +                        break; + +                case DNSSEC_NSEC_NO_RR: +                        /* No NSEC data? Bummer! */ + +                        r = dns_transaction_requires_nsec(t); +                        if (r < 0) +                                return r; +                        if (r > 0) +                                t->answer_dnssec_result = DNSSEC_NO_SIGNATURE; +                        else { +                                t->answer_dnssec_result = DNSSEC_UNSIGNED; +                                t->answer_authenticated = false; +                        } + +                        break; + +                case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM: +                        /* We don't know the NSEC3 algorithm used? */ +                        t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM; +                        break; + +                case DNSSEC_NSEC_FOUND: +                        /* NSEC says it needs to be there, but we couldn't find it? Bummer! */ +                        t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH; +                        break; + +                default: +                        assert_not_reached("Unexpected NSEC result."); +                } +        } + +        return 1; +} + +const char *dns_transaction_key_string(DnsTransaction *t) { +        assert(t); + +        if (!t->key_string) { +                if (dns_resource_key_to_string(t->key, &t->key_string) < 0) +                        return "n/a"; +        } + +        return strstrip(t->key_string);  }  static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {          [DNS_TRANSACTION_NULL] = "null",          [DNS_TRANSACTION_PENDING] = "pending", -        [DNS_TRANSACTION_FAILURE] = "failure", +        [DNS_TRANSACTION_VALIDATING] = "validating", +        [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",          [DNS_TRANSACTION_SUCCESS] = "success",          [DNS_TRANSACTION_NO_SERVERS] = "no-servers",          [DNS_TRANSACTION_TIMEOUT] = "timeout", @@ -834,6 +2117,7 @@ static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX]          [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",          [DNS_TRANSACTION_RESOURCES] = "resources",          [DNS_TRANSACTION_ABORTED] = "aborted", +        [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",  };  DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState); diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h index a3058ce6e8..fea25aab09 100644 --- a/src/resolve/resolved-dns-transaction.h +++ b/src/resolve/resolved-dns-transaction.h @@ -28,7 +28,8 @@ typedef enum DnsTransactionSource DnsTransactionSource;  enum DnsTransactionState {          DNS_TRANSACTION_NULL,          DNS_TRANSACTION_PENDING, -        DNS_TRANSACTION_FAILURE, +        DNS_TRANSACTION_VALIDATING, +        DNS_TRANSACTION_RCODE_FAILURE,          DNS_TRANSACTION_SUCCESS,          DNS_TRANSACTION_NO_SERVERS,          DNS_TRANSACTION_TIMEOUT, @@ -36,10 +37,13 @@ enum DnsTransactionState {          DNS_TRANSACTION_INVALID_REPLY,          DNS_TRANSACTION_RESOURCES,          DNS_TRANSACTION_ABORTED, +        DNS_TRANSACTION_DNSSEC_FAILED,          _DNS_TRANSACTION_STATE_MAX,          _DNS_TRANSACTION_STATE_INVALID = -1  }; +#define DNS_TRANSACTION_IS_LIVE(state) IN_SET((state), DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING, DNS_TRANSACTION_VALIDATING) +  enum DnsTransactionSource {          DNS_TRANSACTION_NETWORK,          DNS_TRANSACTION_CACHE, @@ -58,20 +62,38 @@ struct DnsTransaction {          DnsScope *scope;          DnsResourceKey *key; +        char *key_string;          DnsTransactionState state; +          uint16_t id; -        bool initial_jitter; +        bool initial_jitter_scheduled:1; +        bool initial_jitter_elapsed:1;          DnsPacket *sent, *received;          DnsAnswer *answer;          int answer_rcode; +        DnssecResult answer_dnssec_result;          DnsTransactionSource answer_source; + +        /* Indicates whether the primary answer is authenticated, +         * i.e. whether the RRs from answer which directly match the +         * question are authenticated, or, if there are none, whether +         * the NODATA or NXDOMAIN case is. It says nothing about +         * additional RRs listed in the answer, however they have +         * their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit +         * is defined different than the AD bit in DNS packets, as +         * that covers more than just the actual primary answer. */          bool answer_authenticated; +        /* Contains DNSKEY, DS, SOA RRs we already verified and need +         * to authenticate this reply */ +        DnsAnswer *validated_keys; +          usec_t start_usec; +        usec_t next_attempt_after;          sd_event_source *timeout_event_source;          unsigned n_attempts; @@ -81,7 +103,7 @@ struct DnsTransaction {          /* The active server */          DnsServer *server; -        /* the features of the DNS server at time of transaction start */ +        /* The features of the DNS server at time of transaction start */          DnsServerFeatureLevel current_features;          /* TCP connection logic, if we need it */ @@ -90,11 +112,21 @@ struct DnsTransaction {          /* Query candidates this transaction is referenced by and that           * shall be notified about this specific transaction           * completing. */ -        Set *query_candidates; +        Set *notify_query_candidates;          /* Zone items this transaction is referenced by and that shall           * be notified about completion. */ -        Set *zone_items; +        Set *notify_zone_items; + +        /* Other transactions that this transactions is referenced by +         * and that shall be notified about completion. This is used +         * when transactions want to validate their RRsets, but need +         * another DNSKEY or DS RR to do so. */ +        Set *notify_transactions; + +        /* The opposite direction: the transactions this transaction +         * created in order to request DNSKEY or DS RRs. */ +        Set *dnssec_transactions;          unsigned block_gc; @@ -110,6 +142,12 @@ int dns_transaction_go(DnsTransaction *t);  void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p);  void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state); +void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source); +int dns_transaction_validate_dnssec(DnsTransaction *t); +int dns_transaction_request_dnssec_keys(DnsTransaction *t); + +const char *dns_transaction_key_string(DnsTransaction *t); +  const char* dns_transaction_state_to_string(DnsTransactionState p) _const_;  DnsTransactionState dns_transaction_state_from_string(const char *s) _pure_; @@ -119,6 +157,10 @@ DnsTransactionSource dns_transaction_source_from_string(const char *s) _pure_;  /* LLMNR Jitter interval, see RFC 4795 Section 7 */  #define LLMNR_JITTER_INTERVAL_USEC (100 * USEC_PER_MSEC) +/* mDNS Jitter interval, see RFC 6762 Section 5.2 */ +#define MDNS_JITTER_MIN_USEC   (20 * USEC_PER_MSEC) +#define MDNS_JITTER_RANGE_USEC (100 * USEC_PER_MSEC) +  /* Maximum attempts to send DNS requests, across all DNS servers */  #define DNS_TRANSACTION_ATTEMPTS_MAX 16 diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c index e55bdaa1ed..208b7fefc4 100644 --- a/src/resolve/resolved-dns-trust-anchor.c +++ b/src/resolve/resolved-dns-trust-anchor.c @@ -58,7 +58,7 @@ int dns_trust_anchor_load(DnsTrustAnchor *d) {          if (!answer)                  return -ENOMEM; -        r = dns_answer_add(answer, rr, 0); +        r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED);          if (r < 0)                  return r; diff --git a/src/resolve/resolved-dns-zone.c b/src/resolve/resolved-dns-zone.c index 78f44d51a2..20c8a4da90 100644 --- a/src/resolve/resolved-dns-zone.c +++ b/src/resolve/resolved-dns-zone.c @@ -39,7 +39,7 @@ void dns_zone_item_probe_stop(DnsZoneItem *i) {          t = i->probe_transaction;          i->probe_transaction = NULL; -        set_remove(t->zone_items, i); +        set_remove(t->notify_zone_items, i);          dns_transaction_gc(t);  } @@ -184,11 +184,11 @@ static int dns_zone_item_probe_start(DnsZoneItem *i)  {                          return r;          } -        r = set_ensure_allocated(&t->zone_items, NULL); +        r = set_ensure_allocated(&t->notify_zone_items, NULL);          if (r < 0)                  goto gc; -        r = set_put(t->zone_items, i); +        r = set_put(t->notify_zone_items, i);          if (r < 0)                  goto gc; @@ -206,7 +206,7 @@ static int dns_zone_item_probe_start(DnsZoneItem *i)  {                  }          } -        dns_zone_item_ready(i); +        dns_zone_item_notify(i);          return 0;  gc: @@ -223,9 +223,9 @@ int dns_zone_put(DnsZone *z, DnsScope *s, DnsResourceRecord *rr, bool probe) {          assert(s);          assert(rr); -        if (rr->key->class == DNS_CLASS_ANY) +        if (dns_class_is_pseudo(rr->key->class))                  return -EINVAL; -        if (rr->key->type == DNS_TYPE_ANY) +        if (dns_type_is_pseudo(rr->key->type))                  return -EINVAL;          existing = dns_zone_get(z, rr); @@ -386,7 +386,7 @@ int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, Dns                          if (k < 0)                                  return k;                          if (k > 0) { -                                r = dns_answer_add(answer, j->rr, 0); +                                r = dns_answer_add(answer, j->rr, 0, DNS_ANSWER_AUTHENTICATED);                                  if (r < 0)                                          return r; @@ -412,7 +412,7 @@ int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, Dns                          if (j->state != DNS_ZONE_ITEM_PROBING)                                  tentative = false; -                        r = dns_answer_add(answer, j->rr, 0); +                        r = dns_answer_add(answer, j->rr, 0, DNS_ANSWER_AUTHENTICATED);                          if (r < 0)                                  return r;                  } @@ -491,7 +491,7 @@ void dns_zone_item_conflict(DnsZoneItem *i) {                  manager_next_hostname(i->scope->manager);  } -void dns_zone_item_ready(DnsZoneItem *i) { +void dns_zone_item_notify(DnsZoneItem *i) {          _cleanup_free_ char *pretty = NULL;          assert(i); @@ -500,7 +500,7 @@ void dns_zone_item_ready(DnsZoneItem *i) {          if (i->block_ready > 0)                  return; -        if (IN_SET(i->probe_transaction->state, DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING)) +        if (IN_SET(i->probe_transaction->state, DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING, DNS_TRANSACTION_VALIDATING))                  return;          if (i->probe_transaction->state == DNS_TRANSACTION_SUCCESS) { diff --git a/src/resolve/resolved-dns-zone.h b/src/resolve/resolved-dns-zone.h index 44a8624c30..dbd6a2a368 100644 --- a/src/resolve/resolved-dns-zone.h +++ b/src/resolve/resolved-dns-zone.h @@ -70,7 +70,7 @@ void dns_zone_remove_rr(DnsZone *z, DnsResourceRecord *rr);  int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **answer, DnsAnswer **soa, bool *tentative);  void dns_zone_item_conflict(DnsZoneItem *i); -void dns_zone_item_ready(DnsZoneItem *i); +void dns_zone_item_notify(DnsZoneItem *i);  int dns_zone_check_conflicts(DnsZone *zone, DnsResourceRecord *rr);  int dns_zone_verify_conflicts(DnsZone *zone, DnsResourceKey *key); diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index ddd9427dab..0fe2bb30bd 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -77,6 +77,8 @@ Link *link_free(Link *l) {          dns_scope_free(l->unicast_scope);          dns_scope_free(l->llmnr_ipv4_scope);          dns_scope_free(l->llmnr_ipv6_scope); +        dns_scope_free(l->mdns_ipv4_scope); +        dns_scope_free(l->mdns_ipv6_scope);          free(l);          return NULL; @@ -118,6 +120,28 @@ static void link_allocate_scopes(Link *l) {                  }          } else                  l->llmnr_ipv6_scope = dns_scope_free(l->llmnr_ipv6_scope); + +        if (link_relevant(l, AF_INET) && +            l->mdns_support != SUPPORT_NO && +            l->manager->mdns_support != SUPPORT_NO) { +                if (!l->mdns_ipv4_scope) { +                        r = dns_scope_new(l->manager, &l->mdns_ipv4_scope, l, DNS_PROTOCOL_MDNS, AF_INET); +                        if (r < 0) +                                log_warning_errno(r, "Failed to allocate mDNS IPv4 scope: %m"); +                } +        } else +                l->mdns_ipv4_scope = dns_scope_free(l->mdns_ipv4_scope); + +        if (link_relevant(l, AF_INET6) && +            l->mdns_support != SUPPORT_NO && +            l->manager->mdns_support != SUPPORT_NO) { +                if (!l->mdns_ipv6_scope) { +                        r = dns_scope_new(l->manager, &l->mdns_ipv6_scope, l, DNS_PROTOCOL_MDNS, AF_INET6); +                        if (r < 0) +                                log_warning_errno(r, "Failed to allocate mDNS IPv6 scope: %m"); +                } +        } else +                l->mdns_ipv6_scope = dns_scope_free(l->mdns_ipv6_scope);  }  void link_add_rrs(Link *l, bool force_remove) { @@ -159,6 +183,10 @@ static int link_update_dns_servers(Link *l) {          assert(l);          r = sd_network_link_get_dns(l->ifindex, &nameservers); +        if (r == -ENODATA) { +                r = 0; +                goto clear; +        }          if (r < 0)                  goto clear; @@ -198,6 +226,10 @@ static int link_update_llmnr_support(Link *l) {          assert(l);          r = sd_network_link_get_llmnr(l->ifindex, &b); +        if (r == -ENODATA) { +                r = 0; +                goto clear; +        }          if (r < 0)                  goto clear; @@ -228,6 +260,11 @@ static int link_update_search_domains(Link *l) {          assert(l);          r = sd_network_link_get_domains(l->ifindex, &domains); +        if (r == -ENODATA) { +                /* networkd knows nothing about this interface, and that's fine. */ +                r = 0; +                goto clear; +        }          if (r < 0)                  goto clear; diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h index eb00015bd5..a3b406bbc2 100644 --- a/src/resolve/resolved-link.h +++ b/src/resolve/resolved-link.h @@ -67,10 +67,13 @@ struct Link {          unsigned n_search_domains;          Support llmnr_support; +        Support mdns_support;          DnsScope *unicast_scope;          DnsScope *llmnr_ipv4_scope;          DnsScope *llmnr_ipv6_scope; +        DnsScope *mdns_ipv4_scope; +        DnsScope *mdns_ipv6_scope;          char name[IF_NAMESIZE];          uint32_t mtu; diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c index 6a7ff9d245..ed754c3899 100644 --- a/src/resolve/resolved-llmnr.c +++ b/src/resolve/resolved-llmnr.c @@ -461,10 +461,8 @@ int manager_llmnr_ipv6_tcp_fd(Manager *m) {          }          r = sd_event_add_io(m->event, &m->llmnr_ipv6_tcp_event_source, m->llmnr_ipv6_tcp_fd, EPOLLIN, on_llmnr_stream, m); -        if (r < 0)  { -                r = -errno; +        if (r < 0)                  goto fail; -        }          return m->llmnr_ipv6_tcp_fd; diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index 5a3696ccb0..20955b3f6b 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -40,6 +40,7 @@  #include "resolved-llmnr.h"  #include "resolved-manager.h"  #include "resolved-resolv-conf.h" +#include "resolved-mdns.h"  #include "socket-util.h"  #include "string-table.h"  #include "string-util.h" @@ -472,6 +473,7 @@ int manager_new(Manager **ret) {          m->llmnr_ipv4_udp_fd = m->llmnr_ipv6_udp_fd = -1;          m->llmnr_ipv4_tcp_fd = m->llmnr_ipv6_tcp_fd = -1; +        m->mdns_ipv4_fd = m->mdns_ipv6_fd = -1;          m->hostname_fd = -1;          m->llmnr_support = SUPPORT_YES; @@ -528,6 +530,10 @@ int manager_start(Manager *m) {          if (r < 0)                  return r; +        r = manager_mdns_start(m); +        if (r < 0) +                return r; +          return 0;  } @@ -559,6 +565,7 @@ Manager *manager_free(Manager *m) {          sd_event_source_unref(m->rtnl_event_source);          manager_llmnr_stop(m); +        manager_mdns_stop(m);          sd_bus_slot_unref(m->prepare_for_sleep_slot);          sd_event_source_unref(m->bus_retry_event_source); @@ -765,7 +772,7 @@ static int write_loop(int fd, void *message, size_t length) {  int manager_write(Manager *m, int fd, DnsPacket *p) {          int r; -        log_debug("Sending %s packet with id %u", DNS_PACKET_QR(p) ? "response" : "query", DNS_PACKET_ID(p)); +        log_debug("Sending %s packet with id %" PRIu16 ".", DNS_PACKET_QR(p) ? "response" : "query", DNS_PACKET_ID(p));          r = write_loop(fd, DNS_PACKET_DATA(p), p->size);          if (r < 0) @@ -880,7 +887,7 @@ int manager_send(Manager *m, int fd, int ifindex, int family, const union in_add          assert(port > 0);          assert(p); -        log_debug("Sending %s packet with id %u on interface %i/%s", DNS_PACKET_QR(p) ? "response" : "query", DNS_PACKET_ID(p), ifindex, af_to_name(family)); +        log_debug("Sending %s packet with id %" PRIu16 " on interface %i/%s.", DNS_PACKET_QR(p) ? "response" : "query", DNS_PACKET_ID(p), ifindex, af_to_name(family));          if (family == AF_INET)                  return manager_ipv4_send(m, fd, ifindex, &addr->in, port, p); @@ -1024,11 +1031,25 @@ DnsScope* manager_find_scope(Manager *m, DnsPacket *p) {          if (!l)                  return NULL; -        if (p->protocol == DNS_PROTOCOL_LLMNR) { +        switch (p->protocol) { +        case DNS_PROTOCOL_LLMNR:                  if (p->family == AF_INET)                          return l->llmnr_ipv4_scope;                  else if (p->family == AF_INET6)                          return l->llmnr_ipv6_scope; + +                break; + +        case DNS_PROTOCOL_MDNS: +                if (p->family == AF_INET) +                        return l->mdns_ipv4_scope; +                else if (p->family == AF_INET6) +                        return l->mdns_ipv6_scope; + +                break; + +        default: +                break;          }          return NULL; diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h index 1056f23ab7..b52273403a 100644 --- a/src/resolve/resolved-manager.h +++ b/src/resolve/resolved-manager.h @@ -54,6 +54,7 @@ struct Manager {          sd_event *event;          Support llmnr_support; +        Support mdns_support;          /* Network */          Hashmap *links; @@ -102,6 +103,13 @@ struct Manager {          sd_event_source *llmnr_ipv4_tcp_event_source;          sd_event_source *llmnr_ipv6_tcp_event_source; +        /* mDNS */ +        int mdns_ipv4_fd; +        int mdns_ipv6_fd; + +        sd_event_source *mdns_ipv4_event_source; +        sd_event_source *mdns_ipv6_event_source; +          /* dbus */          sd_bus *bus;          sd_event_source *bus_retry_event_source; diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c new file mode 100644 index 0000000000..db23bc9d42 --- /dev/null +++ b/src/resolve/resolved-mdns.c @@ -0,0 +1,289 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** +  This file is part of systemd. + +  Copyright 2015 Daniel Mack + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. + ***/ + +#include <resolv.h> +#include <netinet/in.h> +#include <arpa/inet.h> + +#include "fd-util.h" +#include "resolved-manager.h" +#include "resolved-mdns.h" + +void manager_mdns_stop(Manager *m) { +        assert(m); + +        m->mdns_ipv4_event_source = sd_event_source_unref(m->mdns_ipv4_event_source); +        m->mdns_ipv4_fd = safe_close(m->mdns_ipv4_fd); + +        m->mdns_ipv6_event_source = sd_event_source_unref(m->mdns_ipv6_event_source); +        m->mdns_ipv6_fd = safe_close(m->mdns_ipv6_fd); +} + +int manager_mdns_start(Manager *m) { +        int r; + +        assert(m); + +        if (m->mdns_support == SUPPORT_NO) +                return 0; + +        r = manager_mdns_ipv4_fd(m); +        if (r == -EADDRINUSE) +                goto eaddrinuse; +        if (r < 0) +                return r; + +        if (socket_ipv6_is_supported()) { +                r = manager_mdns_ipv6_fd(m); +                if (r == -EADDRINUSE) +                        goto eaddrinuse; +                if (r < 0) +                        return r; +        } + +        return 0; + +eaddrinuse: +        log_warning("There appears to be another mDNS responder running. Turning off mDNS support."); +        m->mdns_support = SUPPORT_NO; +        manager_mdns_stop(m); + +        return 0; +} + +static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) { +        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; +        Manager *m = userdata; +        DnsScope *scope; +        int r; + +        r = manager_recv(m, fd, DNS_PROTOCOL_MDNS, &p); +        if (r <= 0) +                return r; + +        scope = manager_find_scope(m, p); +        if (!scope) { +                log_warning("Got mDNS UDP packet on unknown scope. Ignoring."); +                return 0; +        } + +        if (dns_packet_validate_reply(p) > 0) { +                DnsResourceRecord *rr; + +                log_debug("Got mDNS reply packet"); + +                /* +                 * mDNS is different from regular DNS and LLMNR with regard to handling responses. +                 * While on other protocols, we can ignore every answer that doesn't match a question +                 * we broadcast earlier, RFC6762, section 18.1 recommends looking at and caching all +                 * incoming information, regardless of the DNS packet ID. +                 * +                 * Hence, extract the packet here, and try to find a transaction for answer the we got +                 * and complete it. Also store the new information in scope's cache. +                 */ +                r = dns_packet_extract(p); +                if (r < 0) { +                        log_debug("mDNS packet extraction failed."); +                        return 0; +                } + +                dns_scope_check_conflicts(scope, p); + +                DNS_ANSWER_FOREACH(rr, p->answer) { +                        const char *name = DNS_RESOURCE_KEY_NAME(rr->key); +                        DnsTransaction *t; + +                        /* If the received reply packet contains ANY record that is not .local or .in-addr.arpa, +                         * we assume someone's playing tricks on us and discard the packet completely. */ +                        if (!(dns_name_endswith(name, "in-addr.arpa") > 0 || +                              dns_name_endswith(name, "local") > 0)) +                                return 0; + +                        t = dns_scope_find_transaction(scope, rr->key, false); +                        if (t) +                                dns_transaction_process_reply(t, p); +                } + +                dns_cache_put(&scope->cache, NULL, DNS_PACKET_RCODE(p), p->answer, false, 0, p->family, &p->sender); + +        } else if (dns_packet_validate_query(p) > 0)  { +                log_debug("Got mDNS query packet for id %u", DNS_PACKET_ID(p)); + +                dns_scope_process_query(scope, NULL, p); +        } else +                log_debug("Invalid mDNS UDP packet."); + +        return 0; +} + +int manager_mdns_ipv4_fd(Manager *m) { +        union sockaddr_union sa = { +                .in.sin_family = AF_INET, +                .in.sin_port = htobe16(MDNS_PORT), +        }; +        static const int one = 1, pmtu = IP_PMTUDISC_DONT, ttl = 255; +        int r; + +        assert(m); + +        if (m->mdns_ipv4_fd >= 0) +                return m->mdns_ipv4_fd; + +        m->mdns_ipv4_fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); +        if (m->mdns_ipv4_fd < 0) +                return -errno; + +        r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, sizeof(ttl)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_MULTICAST_LOOP, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv4_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_PKTINFO, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_RECVTTL, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        /* Disable Don't-Fragment bit in the IP header */ +        r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_MTU_DISCOVER, &pmtu, sizeof(pmtu)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = bind(m->mdns_ipv4_fd, &sa.sa, sizeof(sa.in)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = sd_event_add_io(m->event, &m->mdns_ipv4_event_source, m->mdns_ipv4_fd, EPOLLIN, on_mdns_packet, m); +        if (r < 0) +                goto fail; + +        return m->mdns_ipv4_fd; + +fail: +        m->mdns_ipv4_fd = safe_close(m->mdns_ipv4_fd); +        return r; +} + +int manager_mdns_ipv6_fd(Manager *m) { +        union sockaddr_union sa = { +                .in6.sin6_family = AF_INET6, +                .in6.sin6_port = htobe16(MDNS_PORT), +        }; +        static const int one = 1, ttl = 255; +        int r; + +        assert(m); + +        if (m->mdns_ipv6_fd >= 0) +                return m->mdns_ipv6_fd; + +        m->mdns_ipv6_fd = socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); +        if (m->mdns_ipv6_fd < 0) +                return -errno; + +        r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        /* RFC 4795, section 2.5 recommends setting the TTL of UDP packets to 255. */ +        r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_MULTICAST_HOPS, &ttl, sizeof(ttl)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv6_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &one, sizeof(one)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = bind(m->mdns_ipv6_fd, &sa.sa, sizeof(sa.in6)); +        if (r < 0) { +                r = -errno; +                goto fail; +        } + +        r = sd_event_add_io(m->event, &m->mdns_ipv6_event_source, m->mdns_ipv6_fd, EPOLLIN, on_mdns_packet, m); +        if (r < 0) +                goto fail; + +        return m->mdns_ipv6_fd; + +fail: +        m->mdns_ipv6_fd = safe_close(m->mdns_ipv6_fd); +        return r; +} diff --git a/src/import/pull-dkr.h b/src/resolve/resolved-mdns.h index a95d91205b..8a84010615 100644 --- a/src/import/pull-dkr.h +++ b/src/resolve/resolved-mdns.h @@ -1,9 +1,11 @@  /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +#pragma once +  /***    This file is part of systemd. -  Copyright 2014 Lennart Poettering +  Copyright 2015 Daniel Mack    systemd is free software; you can redistribute it and/or modify it    under the terms of the GNU Lesser General Public License as published by @@ -19,20 +21,12 @@    along with systemd; If not, see <http://www.gnu.org/licenses/>.  ***/ -#pragma once - -#include "sd-event.h" - -#include "util.h" - -typedef enum { DKR_PULL_V1, DKR_PULL_V2 } DkrPullVersion; -typedef struct DkrPull DkrPull; - -typedef void (*DkrPullFinished)(DkrPull *pull, int error, void *userdata); +#include "resolved-manager.h" -int dkr_pull_new(DkrPull **pull, sd_event *event, const char *index_url, const char *image_root, DkrPullFinished on_finished, void *userdata); -DkrPull* dkr_pull_unref(DkrPull *pull); +#define MDNS_PORT 5353 -DEFINE_TRIVIAL_CLEANUP_FUNC(DkrPull*, dkr_pull_unref); +int manager_mdns_ipv4_fd(Manager *m); +int manager_mdns_ipv6_fd(Manager *m); -int dkr_pull_start(DkrPull *pull, const char *name, const char *tag, const char *local, bool force_local, DkrPullVersion version); +void manager_mdns_stop(Manager *m); +int manager_mdns_start(Manager *m); diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c index 0b2ffeeddd..5b4ee220c4 100644 --- a/src/resolve/test-dnssec.c +++ b/src/resolve/test-dnssec.c @@ -27,6 +27,103 @@  #include "resolved-dns-dnssec.h"  #include "resolved-dns-rr.h"  #include "string-util.h" +#include "hexdecoct.h" + +static void test_dnssec_verify_rrset2(void) { + +        static const uint8_t signature_blob[] = { +                0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11, +                0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b, +                0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca, +                0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2, +                0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda, +                0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27, +                0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50, +                0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22, +        }; + +        static const uint8_t dnskey_blob[] = { +                0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea, +                0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3, +                0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07, +                0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5, +                0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7, +                0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56, +                0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e, +                0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49, +                0x74, 0x62, 0xfe, 0xd7, +        }; + +        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *nsec = NULL, *rrsig = NULL, *dnskey = NULL; +        _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; +        _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL; +        DnssecResult result; + +        nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov"); +        assert_se(nsec); + +        nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov"); +        assert_se(nsec->nsec.next_domain_name); + +        nsec->nsec.types = bitmap_new(); +        assert_se(nsec->nsec.types); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0); +        assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0); + +        assert_se(dns_resource_record_to_string(nsec, &x) >= 0); +        log_info("NSEC: %s", x); + +        rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV."); +        assert_se(rrsig); + +        rrsig->rrsig.type_covered = DNS_TYPE_NSEC; +        rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256; +        rrsig->rrsig.labels = 2; +        rrsig->rrsig.original_ttl = 300; +        rrsig->rrsig.expiration = 0x5689002f; +        rrsig->rrsig.inception = 0x56617230; +        rrsig->rrsig.key_tag = 30390; +        rrsig->rrsig.signer = strdup("Nasa.Gov."); +        assert_se(rrsig->rrsig.signer); +        rrsig->rrsig.signature_size = sizeof(signature_blob); +        rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size); +        assert_se(rrsig->rrsig.signature); + +        assert_se(dns_resource_record_to_string(rrsig, &y) >= 0); +        log_info("RRSIG: %s", y); + +        dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV"); +        assert_se(dnskey); + +        dnskey->dnskey.flags = 256; +        dnskey->dnskey.protocol = 3; +        dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256; +        dnskey->dnskey.key_size = sizeof(dnskey_blob); +        dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob)); +        assert_se(dnskey->dnskey.key); + +        assert_se(dns_resource_record_to_string(dnskey, &z) >= 0); +        log_info("DNSKEY: %s", z); +        log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey)); + +        assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0); +        assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey) > 0); + +        answer = dns_answer_new(1); +        assert_se(answer); +        assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0); + +        /* Validate the RR as it if was 2015-12-11 today */ +        assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0); +        assert_se(result == DNSSEC_VALIDATED); +}  static void test_dnssec_verify_rrset(void) { @@ -56,6 +153,7 @@ static void test_dnssec_verify_rrset(void) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;          _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;          _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL; +        DnssecResult result;          a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");          assert_se(a); @@ -103,10 +201,11 @@ static void test_dnssec_verify_rrset(void) {          answer = dns_answer_new(1);          assert_se(answer); -        assert_se(dns_answer_add(answer, a, 0) >= 0); +        assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);          /* Validate the RR as it if was 2015-12-2 today */ -        assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC) == DNSSEC_VERIFIED); +        assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0); +        assert_se(result == DNSSEC_VALIDATED);  }  static void test_dnssec_verify_dns_key(void) { @@ -207,11 +306,46 @@ static void test_dnssec_canonicalize(void) {          test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);  } +static void test_dnssec_nsec3_hash(void) { +        static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE }; +        static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 }; +        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; +        _cleanup_free_ char *a = NULL, *b = NULL; +        uint8_t h[DNSSEC_HASH_SIZE_MAX]; +        int k; + +        /* The NSEC3 RR for eurid.eu on 2015-12-14. */ +        rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu."); +        assert_se(rr); + +        rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1; +        rr->nsec3.flags = 1; +        rr->nsec3.iterations = 1; +        rr->nsec3.salt = memdup(salt, sizeof(salt)); +        assert_se(rr->nsec3.salt); +        rr->nsec3.salt_size = sizeof(salt); +        rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name)); +        assert_se(rr->nsec3.next_hashed_name); +        rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name); + +        assert_se(dns_resource_record_to_string(rr, &a) >= 0); +        log_info("NSEC3: %s", a); + +        k = dnssec_nsec3_hash(rr, "eurid.eu", &h); +        assert_se(k >= 0); + +        b = base32hexmem(h, k, false); +        assert_se(b); +        assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0); +} +  int main(int argc, char*argv[]) {          test_dnssec_canonicalize();          test_dnssec_verify_dns_key();          test_dnssec_verify_rrset(); +        test_dnssec_verify_rrset2(); +        test_dnssec_nsec3_hash();          return 0;  } diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c index e427cc1470..5c6dc34700 100644 --- a/src/shared/bus-util.c +++ b/src/shared/bus-util.c @@ -2381,23 +2381,28 @@ int bus_property_get_rlimit(          struct rlimit *rl;          uint64_t u;          rlim_t x; +        const char *is_soft;          assert(bus);          assert(reply);          assert(userdata); +        is_soft = endswith(property, "Soft");          rl = *(struct rlimit**) userdata;          if (rl) -                x = rl->rlim_max; +                x = is_soft ? rl->rlim_cur : rl->rlim_max;          else {                  struct rlimit buf = {};                  int z; +                const char *s; + +                s = is_soft ? strndupa(property, is_soft - property) : property; -                z = rlimit_from_string(strstr(property, "Limit")); +                z = rlimit_from_string(strstr(s, "Limit"));                  assert(z >= 0);                  getrlimit(z, &buf); -                x = buf.rlim_max; +                x = is_soft ? buf.rlim_cur : buf.rlim_max;          }          /* rlim_t might have different sizes, let's map diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c index 0466857042..c46f7d21b7 100644 --- a/src/shared/dns-domain.c +++ b/src/shared/dns-domain.c @@ -48,7 +48,6 @@ int dns_label_unescape(const char **name, char *dest, size_t sz) {          assert(name);          assert(*name); -        assert(dest);          n = *name;          d = dest; @@ -79,9 +78,12 @@ int dns_label_unescape(const char **name, char *dest, size_t sz) {                          else if (*n == '\\' || *n == '.') {                                  /* Escaped backslash or dot */ -                                *(d++) = *(n++); + +                                if (d) +                                        *(d++) = *n;                                  sz--;                                  r++; +                                n++;                          } else if (n[0] >= '0' && n[0] <= '9') {                                  unsigned k; @@ -100,7 +102,8 @@ int dns_label_unescape(const char **name, char *dest, size_t sz) {                                  if (k < ' ' || k > 255 || k == 127)                                          return -EINVAL; -                                *(d++) = (char) k; +                                if (d) +                                        *(d++) = (char) k;                                  sz--;                                  r++; @@ -111,9 +114,12 @@ int dns_label_unescape(const char **name, char *dest, size_t sz) {                  } else if ((uint8_t) *n >= (uint8_t) ' ' && *n != 127) {                          /* Normal character */ -                        *(d++) = *(n++); + +                        if (d) +                                *(d++) = *n;                          sz--;                          r++; +                        n++;                  } else                          return -EINVAL;          } @@ -122,7 +128,7 @@ int dns_label_unescape(const char **name, char *dest, size_t sz) {          if (r == 0 && *n)                  return -EINVAL; -        if (sz >= 1) +        if (sz >= 1 && d)                  *d = 0;          *name = n; diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h index 3f8f621802..02b51832b6 100644 --- a/src/shared/dns-domain.h +++ b/src/shared/dns-domain.h @@ -47,6 +47,10 @@ int dns_label_unescape_suffix(const char *name, const char **label_end, char *de  int dns_label_escape(const char *p, size_t l, char *dest, size_t sz);  int dns_label_escape_new(const char *p, size_t l, char **ret); +static inline int dns_name_parent(const char **name) { +        return dns_label_unescape(name, NULL, DNS_LABEL_MAX); +} +  int dns_label_apply_idna(const char *encoded, size_t encoded_size, char *decoded, size_t decoded_max);  int dns_label_undo_idna(const char *encoded, size_t encoded_size, char *decoded, size_t decoded_max); diff --git a/src/shared/import-util.c b/src/shared/import-util.c index 29ce732b56..ad400e8693 100644 --- a/src/shared/import-util.c +++ b/src/shared/import-util.c @@ -160,58 +160,6 @@ int raw_strip_suffixes(const char *p, char **ret) {          return 0;  } -bool dkr_digest_is_valid(const char *digest) { -        /* 7 chars for prefix, 64 chars for the digest itself */ -        if (strlen(digest) != 71) -                return false; - -        return startswith(digest, "sha256:") && in_charset(digest + 7, "0123456789abcdef"); -} - -bool dkr_ref_is_valid(const char *ref) { -        const char *colon; - -        if (isempty(ref)) -                return false; - -        colon = strchr(ref, ':'); -        if (!colon) -                return filename_is_valid(ref); - -        return dkr_digest_is_valid(ref); -} - -bool dkr_name_is_valid(const char *name) { -        const char *slash, *p; - -        if (isempty(name)) -                return false; - -        slash = strchr(name, '/'); -        if (!slash) -                return false; - -        if (!filename_is_valid(slash + 1)) -                return false; - -        p = strndupa(name, slash - name); -        if (!filename_is_valid(p)) -                return false; - -        return true; -} - -bool dkr_id_is_valid(const char *id) { - -        if (!filename_is_valid(id)) -                return false; - -        if (!in_charset(id, "0123456789abcdef")) -                return false; - -        return true; -} -  int import_assign_pool_quota_and_warn(const char *path) {          int r; diff --git a/src/shared/import-util.h b/src/shared/import-util.h index 9120a5119f..4bfa2d9aae 100644 --- a/src/shared/import-util.h +++ b/src/shared/import-util.h @@ -42,10 +42,4 @@ ImportVerify import_verify_from_string(const char *s) _pure_;  int tar_strip_suffixes(const char *name, char **ret);  int raw_strip_suffixes(const char *name, char **ret); -bool dkr_name_is_valid(const char *name); -bool dkr_id_is_valid(const char *id); -bool dkr_ref_is_valid(const char *ref); -bool dkr_digest_is_valid(const char *digest); -#define dkr_tag_is_valid(tag) filename_is_valid(tag) -  int import_assign_pool_quota_and_warn(const char *path); diff --git a/src/test/test-rbtree.c b/src/test/test-rbtree.c new file mode 100644 index 0000000000..8ae416c557 --- /dev/null +++ b/src/test/test-rbtree.c @@ -0,0 +1,362 @@ +/*** +  This file is part of systemd. See COPYING for details. + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +/* + * Tests for RB-Tree + */ + +#undef NDEBUG +#include <assert.h> +#include <stddef.h> +#include <stdlib.h> +#include "c-rbtree.h" + +/* verify that all API calls are exported */ +static void test_api(void) { +        CRBTree t = {}; +        CRBNode n = C_RBNODE_INIT(n); + +        assert(!c_rbnode_is_linked(&n)); + +        /* init, is_linked, add, remove, remove_init */ + +        c_rbtree_add(&t, NULL, &t.root, &n); +        assert(c_rbnode_is_linked(&n)); + +        c_rbtree_remove_init(&t, &n); +        assert(!c_rbnode_is_linked(&n)); + +        c_rbtree_add(&t, NULL, &t.root, &n); +        assert(c_rbnode_is_linked(&n)); + +        c_rbtree_remove(&t, &n); +        assert(c_rbnode_is_linked(&n)); /* @n wasn't touched */ + +        c_rbnode_init(&n); +        assert(!c_rbnode_is_linked(&n)); + +        /* first, last, leftmost, rightmost, next, prev */ + +        assert(!c_rbtree_first(&t)); +        assert(!c_rbtree_last(&t)); +        assert(&n == c_rbnode_leftmost(&n)); +        assert(&n == c_rbnode_rightmost(&n)); +        assert(!c_rbnode_next(&n)); +        assert(!c_rbnode_prev(&n)); +} + +/* copied from c-rbtree.c, relies on internal representation */ +static inline _Bool c_rbnode_is_red(CRBNode *n) { +        return !((unsigned long)n->__parent_and_color & 1UL); +} + +/* copied from c-rbtree.c, relies on internal representation */ +static inline _Bool c_rbnode_is_black(CRBNode *n) { +        return !!((unsigned long)n->__parent_and_color & 1UL); +} + +static size_t validate(CRBTree *t) { +        unsigned int i_black, n_black; +        CRBNode *n, *p, *o; +        size_t count = 0; + +        assert(t); +        assert(!t->root || c_rbnode_is_black(t->root)); + +        /* traverse to left-most child, count black nodes */ +        i_black = 0; +        n = t->root; +        while (n && n->left) { +                if (c_rbnode_is_black(n)) +                        ++i_black; +                n = n->left; +        } +        n_black = i_black; + +        /* +         * Traverse tree and verify correctness: +         *  1) A node is either red or black +         *  2) The root is black +         *  3) All leaves are black +         *  4) Every red node must have two black child nodes +         *  5) Every path to a leaf contains the same number of black nodes +         * +         * Note that NULL nodes are considered black, which is why we don't +         * check for 3). +         */ +        o = NULL; +        while (n) { +                ++count; + +                /* verify natural order */ +                assert(n > o); +                o = n; + +                /* verify consistency */ +                assert(!n->right || c_rbnode_parent(n->right) == n); +                assert(!n->left || c_rbnode_parent(n->left) == n); + +                /* verify 2) */ +                if (!c_rbnode_parent(n)) +                        assert(c_rbnode_is_black(n)); + +                if (c_rbnode_is_red(n)) { +                        /* verify 4) */ +                        assert(!n->left || c_rbnode_is_black(n->left)); +                        assert(!n->right || c_rbnode_is_black(n->right)); +                } else { +                        /* verify 1) */ +                        assert(c_rbnode_is_black(n)); +                } + +                /* verify 5) */ +                if (!n->left && !n->right) +                        assert(i_black == n_black); + +                /* get next node */ +                if (n->right) { +                        n = n->right; +                        if (c_rbnode_is_black(n)) +                                ++i_black; + +                        while (n->left) { +                                n = n->left; +                                if (c_rbnode_is_black(n)) +                                        ++i_black; +                        } +                } else { +                        while ((p = c_rbnode_parent(n)) && n == p->right) { +                                n = p; +                                if (c_rbnode_is_black(p->right)) +                                        --i_black; +                        } + +                        n = p; +                        if (p && c_rbnode_is_black(p->left)) +                                --i_black; +                } +        } + +        return count; +} + +static void insert(CRBTree *t, CRBNode *n) { +        CRBNode **i, *p; + +        assert(t); +        assert(n); +        assert(!c_rbnode_is_linked(n)); + +        i = &t->root; +        p = NULL; +        while (*i) { +                p = *i; +                if (n < *i) { +                        i = &(*i)->left; +                } else { +                        assert(n > *i); +                        i = &(*i)->right; +                } +        } + +        c_rbtree_add(t, p, i, n); +} + +static void shuffle(void **nodes, size_t n_memb) { +        unsigned int i, j; +        void *t; + +        for (i = 0; i < n_memb; ++i) { +                j = rand() % n_memb; +                t = nodes[j]; +                nodes[j] = nodes[i]; +                nodes[i] = t; +        } +} + +/* run some pseudo-random tests on the tree */ +static void test_shuffle(void) { +        CRBNode *nodes[256]; +        CRBTree t = {}; +        unsigned int i, j; +        size_t n; + +        /* allocate and initialize all nodes */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                nodes[i] = malloc(sizeof(*nodes[i])); +                assert(nodes[i]); +                c_rbnode_init(nodes[i]); +        } + +        /* shuffle nodes and validate *empty* tree */ +        shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); +        n = validate(&t); +        assert(n == 0); + +        /* add all nodes and validate after each insertion */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                insert(&t, nodes[i]); +                n = validate(&t); +                assert(n == i + 1); +        } + +        /* shuffle nodes again */ +        shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); + +        /* remove all nodes (in different order) and validate on each round */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                c_rbtree_remove(&t, nodes[i]); +                n = validate(&t); +                assert(n == sizeof(nodes) / sizeof(*nodes) - i - 1); +                c_rbnode_init(nodes[i]); +        } + +        /* shuffle nodes and validate *empty* tree again */ +        shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); +        n = validate(&t); +        assert(n == 0); + +        /* add all nodes again */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                insert(&t, nodes[i]); +                n = validate(&t); +                assert(n == i + 1); +        } + +        /* 4 times, remove half of the nodes and add them again */ +        for (j = 0; j < 4; ++j) { +                /* shuffle nodes again */ +                shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); + +                /* remove half of the nodes */ +                for (i = 0; i < sizeof(nodes) / sizeof(*nodes) / 2; ++i) { +                        c_rbtree_remove(&t, nodes[i]); +                        n = validate(&t); +                        assert(n == sizeof(nodes) / sizeof(*nodes) - i - 1); +                        c_rbnode_init(nodes[i]); +                } + +                /* shuffle the removed half */ +                shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes) / 2); + +                /* add the removed half again */ +                for (i = 0; i < sizeof(nodes) / sizeof(*nodes) / 2; ++i) { +                        insert(&t, nodes[i]); +                        n = validate(&t); +                        assert(n == sizeof(nodes) / sizeof(*nodes) / 2 + i + 1); +                } +        } + +        /* shuffle nodes again */ +        shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); + +        /* remove all */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                c_rbtree_remove(&t, nodes[i]); +                n = validate(&t); +                assert(n == sizeof(nodes) / sizeof(*nodes) - i - 1); +                c_rbnode_init(nodes[i]); +        } + +        /* free nodes again */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) +                free(nodes[i]); +} + +typedef struct { +        unsigned long key; +        CRBNode rb; +} Node; + +#define node_from_rb(_rb) ((Node *)((char *)(_rb) - offsetof(Node, rb))) + +static int compare(CRBTree *t, void *k, CRBNode *n) { +        unsigned long key = (unsigned long)k; +        Node *node = node_from_rb(n); + +        return (key < node->key) ? -1 : (key > node->key) ? 1 : 0; +} + +/* run tests against the c_rbtree_find*() helpers */ +static void test_map(void) { +        CRBNode **slot, *p; +        CRBTree t = {}; +        Node *nodes[2048]; +        unsigned long i; + +        /* allocate and initialize all nodes */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                nodes[i] = malloc(sizeof(*nodes[i])); +                assert(nodes[i]); +                nodes[i]->key = i; +                c_rbnode_init(&nodes[i]->rb); +        } + +        /* shuffle nodes */ +        shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); + +        /* add all nodes, and verify that each node is linked */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                assert(!c_rbnode_is_linked(&nodes[i]->rb)); +                assert(!c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb)); + +                slot = c_rbtree_find_slot(&t, compare, (void *)nodes[i]->key, &p); +                assert(slot); +                c_rbtree_add(&t, p, slot, &nodes[i]->rb); + +                assert(c_rbnode_is_linked(&nodes[i]->rb)); +                assert(nodes[i] == c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb)); +        } + +        /* shuffle nodes again */ +        shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes)); + +        /* remove all nodes (in different order) */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) { +                assert(c_rbnode_is_linked(&nodes[i]->rb)); +                assert(nodes[i] == c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb)); + +                c_rbtree_remove_init(&t, &nodes[i]->rb); + +                assert(!c_rbnode_is_linked(&nodes[i]->rb)); +                assert(!c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb)); +        } + +        /* free nodes again */ +        for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) +                free(nodes[i]); +} + +int main(int argc, char **argv) { +        unsigned int i; + +        /* we want stable tests, so use fixed seed */ +        srand(0xdeadbeef); + +        test_api(); + +        /* +         * The tests are pseudo random; run them multiple times, each run will +         * have different orders and thus different results. +         */ +        for (i = 0; i < 4; ++i) { +                test_shuffle(); +                test_map(); +        } + +        return 0; +} diff --git a/src/test/test-rlimit-util.c b/src/test/test-rlimit-util.c new file mode 100644 index 0000000000..00d3ecc0de --- /dev/null +++ b/src/test/test-rlimit-util.c @@ -0,0 +1,69 @@ +/*** +  This file is part of systemd + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <sys/resource.h> + +#include "capability-util.h" +#include "macro.h" +#include "rlimit-util.h" +#include "string-util.h" +#include "util.h" + +int main(int argc, char *argv[]) { +        struct rlimit old, new, high; +        struct rlimit err = { +                .rlim_cur = 10, +                .rlim_max = 5, +        }; + +        log_parse_environment(); +        log_open(); + +        assert_se(drop_capability(CAP_SYS_RESOURCE) == 0); + +        assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0); +        new.rlim_cur = MIN(5U, old.rlim_max); +        new.rlim_max = MIN(10U, old.rlim_max); +        assert_se(setrlimit(RLIMIT_NOFILE, &new) >= 0); + +        assert_se(rlimit_from_string("LimitNOFILE") == RLIMIT_NOFILE); +        assert_se(rlimit_from_string("DefaultLimitNOFILE") == -1); + +        assert_se(streq_ptr(rlimit_to_string(RLIMIT_NOFILE), "LimitNOFILE")); +        assert_se(rlimit_to_string(-1) == NULL); + +        assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0); +        assert_se(setrlimit_closest(RLIMIT_NOFILE, &old) == 0); +        assert_se(getrlimit(RLIMIT_NOFILE, &new) == 0); +        assert_se(old.rlim_cur == new.rlim_cur); +        assert_se(old.rlim_max == new.rlim_max); + +        assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0); +        high = RLIMIT_MAKE_CONST(old.rlim_max + 1); +        assert_se(setrlimit_closest(RLIMIT_NOFILE, &high) == 0); +        assert_se(getrlimit(RLIMIT_NOFILE, &new) == 0); +        assert_se(new.rlim_max == old.rlim_max); +        assert_se(new.rlim_cur == new.rlim_max); + +        assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0); +        assert_se(setrlimit_closest(RLIMIT_NOFILE, &err) == -EINVAL); +        assert_se(getrlimit(RLIMIT_NOFILE, &new) == 0); +        assert_se(old.rlim_cur == new.rlim_cur); +        assert_se(old.rlim_max == new.rlim_max); + +        return 0; +} diff --git a/src/udev/scsi_id/scsi.h b/src/udev/scsi_id/scsi.h index 3f99ae7724..1054551d0b 100644 --- a/src/udev/scsi_id/scsi.h +++ b/src/udev/scsi_id/scsi.h @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * scsi.h   * @@ -24,25 +26,25 @@ struct scsi_ioctl_command {  /*   * Default 5 second timeout   */ -#define DEF_TIMEOUT        5000 +#define DEF_TIMEOUT 5000 -#define SENSE_BUFF_LEN        32 +#define SENSE_BUFF_LEN 32  /*   * The request buffer size passed to the SCSI INQUIRY commands, use 254,   * as this is a nice value for some devices, especially some of the usb   * mass storage devices.   */ -#define        SCSI_INQ_BUFF_LEN        254 +#define SCSI_INQ_BUFF_LEN 254  /*   * SCSI INQUIRY vendor and model (really product) lengths.   */ -#define VENDOR_LENGTH        8 -#define        MODEL_LENGTH        16 +#define VENDOR_LENGTH 8 +#define MODEL_LENGTH 16 -#define INQUIRY_CMD     0x12 -#define INQUIRY_CMDLEN  6 +#define INQUIRY_CMD 0x12 +#define INQUIRY_CMDLEN 6  /*   * INQUIRY VPD page 0x83 identifier descriptor related values. Reference the @@ -52,34 +54,34 @@ struct scsi_ioctl_command {  /*   * id type values of id descriptors. These are assumed to fit in 4 bits.   */ -#define SCSI_ID_VENDOR_SPECIFIC        0 -#define SCSI_ID_T10_VENDOR        1 -#define SCSI_ID_EUI_64                2 -#define SCSI_ID_NAA                3 -#define SCSI_ID_RELPORT                4 +#define SCSI_ID_VENDOR_SPECIFIC 0 +#define SCSI_ID_T10_VENDOR      1 +#define SCSI_ID_EUI_64          2 +#define SCSI_ID_NAA             3 +#define SCSI_ID_RELPORT         4  #define SCSI_ID_TGTGROUP        5  #define SCSI_ID_LUNGROUP        6 -#define SCSI_ID_MD5                7 -#define SCSI_ID_NAME                8 +#define SCSI_ID_MD5             7 +#define SCSI_ID_NAME            8  /*   * Supported NAA values. These fit in 4 bits, so the "don't care" value   * cannot conflict with real values.   */ -#define        SCSI_ID_NAA_DONT_CARE                0xff -#define        SCSI_ID_NAA_IEEE_REG                5 -#define        SCSI_ID_NAA_IEEE_REG_EXTENDED        6 +#define SCSI_ID_NAA_DONT_CARE         0xff +#define SCSI_ID_NAA_IEEE_REG          0x05 +#define SCSI_ID_NAA_IEEE_REG_EXTENDED 0x06  /*   * Supported Code Set values.   */ -#define        SCSI_ID_BINARY        1 -#define        SCSI_ID_ASCII        2 +#define SCSI_ID_BINARY 1 +#define SCSI_ID_ASCII  2  struct scsi_id_search_values { -        u_char        id_type; -        u_char        naa_type; -        u_char        code_set; +        u_char id_type; +        u_char naa_type; +        u_char code_set;  };  /* @@ -87,13 +89,13 @@ struct scsi_id_search_values {   * used a 1 bit right and masked version of these. So now CHECK_CONDITION   * and friends (in <scsi/scsi.h>) are deprecated.   */ -#define SCSI_CHECK_CONDITION 0x2 -#define SCSI_CONDITION_MET 0x4 -#define SCSI_BUSY 0x8 -#define SCSI_IMMEDIATE 0x10 +#define SCSI_CHECK_CONDITION         0x02 +#define SCSI_CONDITION_MET           0x04 +#define SCSI_BUSY                    0x08 +#define SCSI_IMMEDIATE               0x10  #define SCSI_IMMEDIATE_CONDITION_MET 0x14 -#define SCSI_RESERVATION_CONFLICT 0x18 -#define SCSI_COMMAND_TERMINATED 0x22 -#define SCSI_TASK_SET_FULL 0x28 -#define SCSI_ACA_ACTIVE 0x30 -#define SCSI_TASK_ABORTED 0x40 +#define SCSI_RESERVATION_CONFLICT    0x18 +#define SCSI_COMMAND_TERMINATED      0x22 +#define SCSI_TASK_SET_FULL           0x28 +#define SCSI_ACA_ACTIVE              0x30 +#define SCSI_TASK_ABORTED            0x40 diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c index 4655691642..e9ab7dce59 100644 --- a/src/udev/scsi_id/scsi_id.c +++ b/src/udev/scsi_id/scsi_id.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) IBM Corp. 2003   * Copyright (C) SUSE Linux Products GmbH, 2006 diff --git a/src/udev/scsi_id/scsi_id.h b/src/udev/scsi_id/scsi_id.h index 141b116a88..25f3d1a3b7 100644 --- a/src/udev/scsi_id/scsi_id.h +++ b/src/udev/scsi_id/scsi_id.h @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) IBM Corp. 2003   * diff --git a/src/udev/scsi_id/scsi_serial.c b/src/udev/scsi_id/scsi_serial.c index c7ef783684..bc18af05af 100644 --- a/src/udev/scsi_id/scsi_serial.c +++ b/src/udev/scsi_id/scsi_serial.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) IBM Corp. 2003   * @@ -50,11 +52,11 @@   * is normally one or some small number of descriptors.   */  static const struct scsi_id_search_values id_search_list[] = { -        { SCSI_ID_TGTGROUP,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_BINARY }, -        { SCSI_ID_NAA,        SCSI_ID_NAA_IEEE_REG_EXTENDED,        SCSI_ID_BINARY }, -        { SCSI_ID_NAA,        SCSI_ID_NAA_IEEE_REG_EXTENDED,        SCSI_ID_ASCII }, -        { SCSI_ID_NAA,        SCSI_ID_NAA_IEEE_REG,        SCSI_ID_BINARY }, -        { SCSI_ID_NAA,        SCSI_ID_NAA_IEEE_REG,        SCSI_ID_ASCII }, +        { SCSI_ID_TGTGROUP, SCSI_ID_NAA_DONT_CARE,         SCSI_ID_BINARY }, +        { SCSI_ID_NAA,      SCSI_ID_NAA_IEEE_REG_EXTENDED, SCSI_ID_BINARY }, +        { SCSI_ID_NAA,      SCSI_ID_NAA_IEEE_REG_EXTENDED, SCSI_ID_ASCII  }, +        { SCSI_ID_NAA,      SCSI_ID_NAA_IEEE_REG,          SCSI_ID_BINARY }, +        { SCSI_ID_NAA,      SCSI_ID_NAA_IEEE_REG,          SCSI_ID_ASCII  },          /*           * Devices already exist using NAA values that are now marked           * reserved. These should not conflict with other values, or it is @@ -64,14 +66,14 @@ static const struct scsi_id_search_values id_search_list[] = {           * non-IEEE descriptors in a random order will get different           * names.           */ -        { SCSI_ID_NAA,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_BINARY }, -        { SCSI_ID_NAA,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_ASCII }, -        { SCSI_ID_EUI_64,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_BINARY }, -        { SCSI_ID_EUI_64,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_ASCII }, -        { SCSI_ID_T10_VENDOR,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_BINARY }, -        { SCSI_ID_T10_VENDOR,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_ASCII }, -        { SCSI_ID_VENDOR_SPECIFIC,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_BINARY }, -        { SCSI_ID_VENDOR_SPECIFIC,        SCSI_ID_NAA_DONT_CARE,        SCSI_ID_ASCII }, +        { SCSI_ID_NAA,             SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY }, +        { SCSI_ID_NAA,             SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII  }, +        { SCSI_ID_EUI_64,          SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY }, +        { SCSI_ID_EUI_64,          SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII  }, +        { SCSI_ID_T10_VENDOR,      SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY }, +        { SCSI_ID_T10_VENDOR,      SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII  }, +        { SCSI_ID_VENDOR_SPECIFIC, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY }, +        { SCSI_ID_VENDOR_SPECIFIC, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII  },  };  static const char hex_str[]="0123456789abcdef"; @@ -81,21 +83,21 @@ static const char hex_str[]="0123456789abcdef";   * are used here.   */ -#define DID_NO_CONNECT                        0x01        /* Unable to connect before timeout */ -#define DID_BUS_BUSY                        0x02        /* Bus remain busy until timeout */ -#define DID_TIME_OUT                        0x03        /* Timed out for some other reason */ -#define DRIVER_TIMEOUT                        0x06 -#define DRIVER_SENSE                        0x08        /* Sense_buffer has been set */ +#define DID_NO_CONNECT               0x01        /* Unable to connect before timeout */ +#define DID_BUS_BUSY                 0x02        /* Bus remain busy until timeout */ +#define DID_TIME_OUT                 0x03        /* Timed out for some other reason */ +#define DRIVER_TIMEOUT               0x06 +#define DRIVER_SENSE                 0x08        /* Sense_buffer has been set */  /* The following "category" function returns one of the following */  #define SG_ERR_CAT_CLEAN                0        /* No errors or other information */  #define SG_ERR_CAT_MEDIA_CHANGED        1        /* interpreted from sense buffer */  #define SG_ERR_CAT_RESET                2        /* interpreted from sense buffer */ -#define SG_ERR_CAT_TIMEOUT                3 -#define SG_ERR_CAT_RECOVERED                4        /* Successful command after recovered err */ -#define SG_ERR_CAT_NOTSUPPORTED                5        /* Illegal / unsupported command */ -#define SG_ERR_CAT_SENSE                98        /* Something else in the sense buffer */ -#define SG_ERR_CAT_OTHER                99        /* Some other error/warning */ +#define SG_ERR_CAT_TIMEOUT              3 +#define SG_ERR_CAT_RECOVERED            4        /* Successful command after recovered err */ +#define SG_ERR_CAT_NOTSUPPORTED         5        /* Illegal / unsupported command */ +#define SG_ERR_CAT_SENSE               98        /* Something else in the sense buffer */ +#define SG_ERR_CAT_OTHER               99        /* Some other error/warning */  static int do_scsi_page80_inquiry(struct udev *udev,                                    struct scsi_id_device *dev_scsi, int fd, @@ -212,7 +214,7 @@ static int scsi_dump_sense(struct udev *udev,                  s = sense_buffer[7] + 8;                  if (sb_len < s) {                          log_debug("%s: sense buffer too small %d bytes, %d bytes too short", -                            dev_scsi->kernel, sb_len, s - sb_len); +                                  dev_scsi->kernel, sb_len, s - sb_len);                          return -1;                  }                  if ((code == 0x0) || (code == 0x1)) { @@ -222,7 +224,7 @@ static int scsi_dump_sense(struct udev *udev,                                   * Possible?                                   */                                  log_debug("%s: sense result too" " small %d bytes", -                                    dev_scsi->kernel, s); +                                          dev_scsi->kernel, s);                                  return -1;                          }                          asc = sense_buffer[12]; @@ -233,15 +235,15 @@ static int scsi_dump_sense(struct udev *udev,                          ascq = sense_buffer[3];                  } else {                          log_debug("%s: invalid sense code 0x%x", -                            dev_scsi->kernel, code); +                                  dev_scsi->kernel, code);                          return -1;                  }                  log_debug("%s: sense key 0x%x ASC 0x%x ASCQ 0x%x", -                    dev_scsi->kernel, sense_key, asc, ascq); +                          dev_scsi->kernel, sense_key, asc, ascq);          } else {                  if (sb_len < 4) {                          log_debug("%s: sense buffer too small %d bytes, %d bytes too short", -                            dev_scsi->kernel, sb_len, 4 - sb_len); +                                  dev_scsi->kernel, sb_len, 4 - sb_len);                          return -1;                  } @@ -249,9 +251,9 @@ static int scsi_dump_sense(struct udev *udev,                          log_debug("%s: old sense key: 0x%x", dev_scsi->kernel, sense_buffer[0] & 0x0f);                  else                          log_debug("%s: sense = %2x %2x", -                            dev_scsi->kernel, sense_buffer[0], sense_buffer[2]); +                                  dev_scsi->kernel, sense_buffer[0], sense_buffer[2]);                  log_debug("%s: non-extended sense class %d code 0x%0x", -                    dev_scsi->kernel, sense_class, code); +                          dev_scsi->kernel, sense_class, code);          } @@ -282,7 +284,7 @@ static int scsi_dump(struct udev *udev,          }          log_debug("%s: sg_io failed status 0x%x 0x%x 0x%x 0x%x", -            dev_scsi->kernel, io->driver_status, io->host_status, io->msg_status, io->status); +                  dev_scsi->kernel, io->driver_status, io->host_status, io->msg_status, io->status);          if (io->status == SCSI_CHECK_CONDITION)                  return scsi_dump_sense(udev, dev_scsi, io->sbp, io->sb_len_wr);          else @@ -302,8 +304,7 @@ static int scsi_dump_v4(struct udev *udev,          }          log_debug("%s: sg_io failed status 0x%x 0x%x 0x%x", -            dev_scsi->kernel, io->driver_status, io->transport_status, -             io->device_status); +                  dev_scsi->kernel, io->driver_status, io->transport_status, io->device_status);          if (io->device_status == SCSI_CHECK_CONDITION)                  return scsi_dump_sense(udev, dev_scsi, (unsigned char *)(uintptr_t)io->response,                                         io->response_len); @@ -399,7 +400,7 @@ resend:  error:          if (retval < 0)                  log_debug("%s: Unable to get INQUIRY vpd %d page 0x%x.", -                    dev_scsi->kernel, evpd, page); +                          dev_scsi->kernel, evpd, page);          return retval;  } @@ -421,7 +422,7 @@ static int do_scsi_page0_inquiry(struct udev *udev,                  return 1;          }          if (buffer[3] > len) { -                log_debug("%s: page 0 buffer too long %d", dev_scsi->kernel,         buffer[3]); +                log_debug("%s: page 0 buffer too long %d", dev_scsi->kernel, buffer[3]);                  return 1;          } @@ -464,7 +465,7 @@ static int prepend_vendor_model(struct udev *udev,           */          if (ind != (VENDOR_LENGTH + MODEL_LENGTH)) {                  log_debug("%s: expected length %d, got length %d", -                     dev_scsi->kernel, (VENDOR_LENGTH + MODEL_LENGTH), ind); +                          dev_scsi->kernel, (VENDOR_LENGTH + MODEL_LENGTH), ind);                  return -1;          }          return ind; @@ -529,7 +530,7 @@ static int check_fill_0x83_id(struct udev *udev,          if (max_len < len) {                  log_debug("%s: length %d too short - need %d", -                    dev_scsi->kernel, max_len, len); +                          dev_scsi->kernel, max_len, len);                  return 1;          } @@ -785,7 +786,7 @@ static int do_scsi_page80_inquiry(struct udev *udev,          len = 1 + VENDOR_LENGTH + MODEL_LENGTH + buf[3];          if (max_len < len) {                  log_debug("%s: length %d too short - need %d", -                     dev_scsi->kernel, max_len, len); +                          dev_scsi->kernel, max_len, len);                  return 1;          }          /* diff --git a/src/udev/udev-builtin-blkid.c b/src/udev/udev-builtin-blkid.c index d0e47ec6d8..0b1ae706e7 100644 --- a/src/udev/udev-builtin-blkid.c +++ b/src/udev/udev-builtin-blkid.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * probe disks for filesystems and partitions   * diff --git a/src/udev/udev-builtin-btrfs.c b/src/udev/udev-builtin-btrfs.c index cfaa463804..467010f5b3 100644 --- a/src/udev/udev-builtin-btrfs.c +++ b/src/udev/udev-builtin-btrfs.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /***    This file is part of systemd. diff --git a/src/udev/udev-builtin-hwdb.c b/src/udev/udev-builtin-hwdb.c index f4a065a97d..a9e312e2c0 100644 --- a/src/udev/udev-builtin-hwdb.c +++ b/src/udev/udev-builtin-hwdb.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /***    This file is part of systemd. diff --git a/src/udev/udev-builtin-input_id.c b/src/udev/udev-builtin-input_id.c index fddafbd4dc..1d31829a08 100644 --- a/src/udev/udev-builtin-input_id.c +++ b/src/udev/udev-builtin-input_id.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * expose input properties via udev   * diff --git a/src/udev/udev-builtin-keyboard.c b/src/udev/udev-builtin-keyboard.c index aa10beafb0..b80be52567 100644 --- a/src/udev/udev-builtin-keyboard.c +++ b/src/udev/udev-builtin-keyboard.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /***    This file is part of systemd. diff --git a/src/udev/udev-builtin-kmod.c b/src/udev/udev-builtin-kmod.c index 9665f678fd..9210d1cc71 100644 --- a/src/udev/udev-builtin-kmod.c +++ b/src/udev/udev-builtin-kmod.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * load kernel modules   * diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c index bf5c9c6b77..e549fdbee9 100644 --- a/src/udev/udev-builtin-net_id.c +++ b/src/udev/udev-builtin-net_id.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /***    This file is part of systemd. diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c index aa18c7e420..7851cec17f 100644 --- a/src/udev/udev-builtin-path_id.c +++ b/src/udev/udev-builtin-path_id.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * compose persistent device path   * diff --git a/src/udev/udev-builtin-uaccess.c b/src/udev/udev-builtin-uaccess.c index 3ebe36f043..b650a15bd8 100644 --- a/src/udev/udev-builtin-uaccess.c +++ b/src/udev/udev-builtin-uaccess.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * manage device node user ACL   * diff --git a/src/udev/udev-builtin-usb_id.c b/src/udev/udev-builtin-usb_id.c index 587649eff0..40d1e8cc47 100644 --- a/src/udev/udev-builtin-usb_id.c +++ b/src/udev/udev-builtin-usb_id.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * USB device properties and persistent device path   * diff --git a/src/udev/udev-builtin.c b/src/udev/udev-builtin.c index e6b36f124f..18fb6615d5 100644 --- a/src/udev/udev-builtin.c +++ b/src/udev/udev-builtin.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /***    This file is part of systemd. diff --git a/src/udev/udev-ctrl.c b/src/udev/udev-ctrl.c index 962de22f43..10dd747256 100644 --- a/src/udev/udev-ctrl.c +++ b/src/udev/udev-ctrl.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * libudev - interface to udev device information   * diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c index 8d601c9c2c..c1dcee6c73 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2003-2013 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index c2edf2c5cd..39ae2cc1b1 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2003-2013 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c index c06ace09cf..7342f2849e 100644 --- a/src/udev/udev-rules.c +++ b/src/udev/udev-rules.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2003-2012 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udev-watch.c b/src/udev/udev-watch.c index f1fdccaed8..60de703706 100644 --- a/src/udev/udev-watch.c +++ b/src/udev/udev-watch.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2004-2012 Kay Sievers <kay@vrfy.org>   * Copyright (C) 2009 Canonical Ltd. diff --git a/src/udev/udev.h b/src/udev/udev.h index 1f9c8120c0..4f4002056c 100644 --- a/src/udev/udev.h +++ b/src/udev/udev.h @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2003 Greg Kroah-Hartman <greg@kroah.com>   * Copyright (C) 2003-2010 Kay Sievers <kay@vrfy.org> diff --git a/src/udev/udevadm-control.c b/src/udev/udevadm-control.c index 989decbe95..119033c2af 100644 --- a/src/udev/udevadm-control.c +++ b/src/udev/udevadm-control.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2005-2011 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevadm-hwdb.c b/src/udev/udevadm-hwdb.c index 948ad0f5a5..53f0871957 100644 --- a/src/udev/udevadm-hwdb.c +++ b/src/udev/udevadm-hwdb.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /***    This file is part of systemd. diff --git a/src/udev/udevadm-info.c b/src/udev/udevadm-info.c index 7182668f23..ca67c385b4 100644 --- a/src/udev/udevadm-info.c +++ b/src/udev/udevadm-info.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2004-2009 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevadm-monitor.c b/src/udev/udevadm-monitor.c index f9cb5e63a2..1579894082 100644 --- a/src/udev/udevadm-monitor.c +++ b/src/udev/udevadm-monitor.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2004-2010 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevadm-settle.c b/src/udev/udevadm-settle.c index 6a5dc6e9e4..2cc9f123bd 100644 --- a/src/udev/udevadm-settle.c +++ b/src/udev/udevadm-settle.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2006-2009 Kay Sievers <kay@vrfy.org>   * Copyright (C) 2009 Canonical Ltd. diff --git a/src/udev/udevadm-test-builtin.c b/src/udev/udevadm-test-builtin.c index 0b180d03eb..7389ca1b72 100644 --- a/src/udev/udevadm-test-builtin.c +++ b/src/udev/udevadm-test-builtin.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2011 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevadm-test.c b/src/udev/udevadm-test.c index ff427cf292..00ad917efc 100644 --- a/src/udev/udevadm-test.c +++ b/src/udev/udevadm-test.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2003-2004 Greg Kroah-Hartman <greg@kroah.com>   * Copyright (C) 2004-2008 Kay Sievers <kay@vrfy.org> diff --git a/src/udev/udevadm-trigger.c b/src/udev/udevadm-trigger.c index 9d52345d92..1385b87b3a 100644 --- a/src/udev/udevadm-trigger.c +++ b/src/udev/udevadm-trigger.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2008-2009 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevadm-util.c b/src/udev/udevadm-util.c index 3539c1d6ab..94cbe21f3e 100644 --- a/src/udev/udevadm-util.c +++ b/src/udev/udevadm-util.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2008-2009 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevadm-util.h b/src/udev/udevadm-util.h index 37e4fe8369..5882096081 100644 --- a/src/udev/udevadm-util.h +++ b/src/udev/udevadm-util.h @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2014 Zbigniew JÄ™drzejewski-Szmek <zbyszek@in.waw.pl>   * diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c index 60f122ebda..af1b5a9186 100644 --- a/src/udev/udevadm.c +++ b/src/udev/udevadm.c @@ -1,4 +1,5 @@  /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2007-2012 Kay Sievers <kay@vrfy.org>   * diff --git a/src/udev/udevd.c b/src/udev/udevd.c index 8b2f5d4e30..366e7fbb87 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2004-2012 Kay Sievers <kay@vrfy.org>   * Copyright (C) 2004 Chris Friesen <chris_friesen@sympatico.ca> diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c index aec6676a33..377eb7a72c 100644 --- a/src/udev/v4l_id/v4l_id.c +++ b/src/udev/v4l_id/v4l_id.c @@ -1,3 +1,5 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +  /*   * Copyright (C) 2009 Kay Sievers <kay@vrfy.org>   * Copyright (c) 2009 Filippo Argiolas <filippo.argiolas@gmail.com> | 
