diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/basic/missing.h | 8 | ||||
| -rw-r--r-- | src/core/timer.c | 2 | ||||
| -rw-r--r-- | src/network/networkd-manager.c | 19 | ||||
| -rw-r--r-- | src/resolve/dns-type.c | 17 | ||||
| -rw-r--r-- | src/resolve/dns-type.h | 1 | ||||
| -rw-r--r-- | src/resolve/resolve-tool.c | 17 | ||||
| -rw-r--r-- | src/resolve/resolved-bus.c | 34 | ||||
| -rw-r--r-- | src/resolve/resolved-manager.c | 2 | ||||
| -rw-r--r-- | src/resolve/resolved.conf.in | 2 | ||||
| -rw-r--r-- | src/udev/udevd.c | 2 | 
10 files changed, 81 insertions, 23 deletions
| diff --git a/src/basic/missing.h b/src/basic/missing.h index 4d3764c022..f3d32362bd 100644 --- a/src/basic/missing.h +++ b/src/basic/missing.h @@ -167,7 +167,7 @@ static inline int pivot_root(const char *new_root, const char *put_old) {  #  endif  #endif -#ifndef HAVE_MEMFD_CREATE +#if !HAVE_DECL_MEMFD_CREATE  static inline int memfd_create(const char *name, unsigned int flags) {          return syscall(__NR_memfd_create, name, flags);  } @@ -1089,7 +1089,7 @@ static inline int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, uns  #define INPUT_PROP_ACCELEROMETER  0x06  #endif -#if !HAVE_DECL_KEY_SERIAL_T +#ifndef HAVE_KEY_SERIAL_T  typedef int32_t key_serial_t;  #endif @@ -1160,11 +1160,11 @@ static inline key_serial_t request_key(const char *type, const char *description  #ifndef IF_OPER_UP  #define IF_OPER_UP 6 -#ifndef HAVE_DECL_CHAR32_T +#ifndef HAVE_CHAR32_T  #define char32_t uint32_t  #endif -#ifndef HAVE_DECL_CHAR16_T +#ifndef HAVE_CHAR16_T  #define char16_t uint16_t  #endif diff --git a/src/core/timer.c b/src/core/timer.c index 6f3e6a8db3..3d0bae16e5 100644 --- a/src/core/timer.c +++ b/src/core/timer.c @@ -334,7 +334,7 @@ static void add_random(Timer *t, usec_t *v) {          usec_t add;          assert(t); -        assert(*v); +        assert(v);          if (t->random_usec == 0)                  return; diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c index b527191a5a..b8cb7f875d 100644 --- a/src/network/networkd-manager.c +++ b/src/network/networkd-manager.c @@ -1091,22 +1091,19 @@ static bool manager_check_idle(void *userdata) {          assert(m); +        /* Check whether we are idle now. The only case when we decide to be idle is when there's only a loopback +         * device around, for which we have no configuration, and which already left the PENDING state. In all other +         * cases we are not idle. */ +          HASHMAP_FOREACH(link, m->links, i) { -                /* we are not woken on udev activity, so let's just wait for the -                 * pending udev event */ +                /* We are not woken on udev activity, so let's just wait for the pending udev event */                  if (link->state == LINK_STATE_PENDING)                          return false; -                if (!link->network) -                        continue; +                if ((link->flags & IFF_LOOPBACK) == 0) +                        return false; -                /* we are not woken on netork activity, so let's stay around */ -                if (link_lldp_enabled(link) || -                    link_ipv4ll_enabled(link) || -                    link_dhcp4_server_enabled(link) || -                    link_dhcp4_enabled(link) || -                    link_dhcp6_enabled(link) || -                    link_ipv6_accept_ra_enabled(link)) +                if (link->network)                          return false;          } diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c index b2f479cae5..78d9d5733f 100644 --- a/src/resolve/dns-type.c +++ b/src/resolve/dns-type.c @@ -193,6 +193,23 @@ bool dns_type_is_obsolete(uint16_t type) {                        DNS_TYPE_NULL);  } +bool dns_type_needs_authentication(uint16_t type) { + +        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't +         * authenticated. I.e. everything that contains crypto keys. */ + +        return IN_SET(type, +                      DNS_TYPE_CERT, +                      DNS_TYPE_SSHFP, +                      DNS_TYPE_IPSECKEY, +                      DNS_TYPE_DS, +                      DNS_TYPE_DNSKEY, +                      DNS_TYPE_TLSA, +                      DNS_TYPE_CDNSKEY, +                      DNS_TYPE_OPENPGPKEY, +                      DNS_TYPE_CAA); +} +  int dns_type_to_af(uint16_t t) {          switch (t) { diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h index f18ac6eef3..fb7babf12a 100644 --- a/src/resolve/dns-type.h +++ b/src/resolve/dns-type.h @@ -132,6 +132,7 @@ bool dns_type_is_dnssec(uint16_t type);  bool dns_type_is_obsolete(uint16_t type);  bool dns_type_may_wildcard(uint16_t type);  bool dns_type_apex_only(uint16_t type); +bool dns_type_needs_authentication(uint16_t type);  int dns_type_to_af(uint16_t t);  bool dns_class_is_pseudo(uint16_t class); diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c index 9aade8e490..c1be03fbb2 100644 --- a/src/resolve/resolve-tool.c +++ b/src/resolve/resolve-tool.c @@ -339,6 +339,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_          uint64_t flags;          int r;          usec_t ts; +        bool needs_authentication = false;          assert(name); @@ -421,6 +422,10 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_                          log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);                  printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname); + +                if (dns_type_needs_authentication(t)) +                        needs_authentication = true; +                  n++;          }          if (r < 0) @@ -441,6 +446,18 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_          print_source(flags, ts); +        if ((flags & SD_RESOLVED_AUTHENTICATED) == 0 && needs_authentication) { +                fflush(stdout); + +                fprintf(stderr, "\n%s" +                       "WARNING: The resources shown contain cryptographic key data which could not be\n" +                       "         authenticated. It is not suitable to authenticate any communication.\n" +                       "         This is usually indication that DNSSEC authentication was not enabled\n" +                       "         or is not available for the selected protocol or DNS servers.%s\n", +                       ansi_highlight_red(), +                       ansi_normal()); +        } +          return 0;  } diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c index 6f08c43327..2d94baeb7e 100644 --- a/src/resolve/resolved-bus.c +++ b/src/resolve/resolved-bus.c @@ -140,6 +140,7 @@ static int append_address(sd_bus_message *reply, DnsResourceRecord *rr, int ifin  static void bus_method_resolve_hostname_complete(DnsQuery *q) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL;          _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; +        _cleanup_free_ char *normalized = NULL;          DnsResourceRecord *rr;          unsigned added = 0;          int ifindex, r; @@ -199,11 +200,17 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) {          if (r < 0)                  goto finish; +        /* The key names are not necessarily normalized, make sure that they are when we return them to our bus +         * clients. */ +        r = dns_name_normalize(DNS_RESOURCE_KEY_NAME(canonical->key), &normalized); +        if (r < 0) +                goto finish; +          /* Return the precise spelling and uppercasing and CNAME target reported by the server */          assert(canonical);          r = sd_bus_message_append(                          reply, "st", -                        DNS_RESOURCE_KEY_NAME(canonical->key), +                        normalized,                          SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));          if (r < 0)                  goto finish; @@ -395,13 +402,19 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {          question = dns_query_question_for_protocol(q, q->answer_protocol);          DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, q->answer) { +                _cleanup_free_ char *normalized = NULL; +                  r = dns_question_matches_rr(question, rr, NULL);                  if (r < 0)                          goto finish;                  if (r == 0)                          continue; -                r = sd_bus_message_append(reply, "(is)", ifindex, rr->ptr.name); +                r = dns_name_normalize(rr->ptr.name, &normalized); +                if (r < 0) +                        goto finish; + +                r = sd_bus_message_append(reply, "(is)", ifindex, normalized);                  if (r < 0)                          goto finish; @@ -671,6 +684,7 @@ fail:  static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; +        _cleanup_free_ char *normalized = NULL;          DnsQuery *aux;          int r; @@ -727,10 +741,14 @@ static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr)          if (r < 0)                  return r; +        r = dns_name_normalize(rr->srv.name, &normalized); +        if (r < 0) +                return r; +          r = sd_bus_message_append(                          reply,                          "qqqs", -                        rr->srv.priority, rr->srv.weight, rr->srv.port, rr->srv.name); +                        rr->srv.priority, rr->srv.weight, rr->srv.port, normalized);          if (r < 0)                  return r; @@ -776,9 +794,17 @@ static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr)          if (r < 0)                  return r; +        if (canonical) { +                normalized = mfree(normalized); + +                r = dns_name_normalize(DNS_RESOURCE_KEY_NAME(canonical->key), &normalized); +                if (r < 0) +                        return r; +        } +          /* Note that above we appended the hostname as encoded in the           * SRV, and here the canonical hostname this maps to. */ -        r = sd_bus_message_append(reply, "s", canonical ? DNS_RESOURCE_KEY_NAME(canonical->key) : rr->srv.name); +        r = sd_bus_message_append(reply, "s", normalized);          if (r < 0)                  return r; diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index 7f9073448a..49e378614e 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -485,7 +485,7 @@ int manager_new(Manager **ret) {          m->llmnr_support = RESOLVE_SUPPORT_YES;          m->mdns_support = RESOLVE_SUPPORT_NO; -        m->dnssec_mode = DNSSEC_NO; +        m->dnssec_mode = DEFAULT_DNSSEC_MODE;          m->read_resolv_conf = true;          m->need_builtin_fallbacks = true;          m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY; diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in index efc9c6733a..a288588924 100644 --- a/src/resolve/resolved.conf.in +++ b/src/resolve/resolved.conf.in @@ -16,4 +16,4 @@  #FallbackDNS=@DNS_SERVERS@  #Domains=  #LLMNR=yes -#DNSSEC=no +#DNSSEC=@DEFAULT_DNSSEC_MODE@ diff --git a/src/udev/udevd.c b/src/udev/udevd.c index 2c1c4a967b..bb92f16352 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -1715,7 +1715,7 @@ int main(int argc, char *argv[]) {                     by PID1. otherwise we are not guaranteed to have a dedicated cgroup */                  r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);                  if (r < 0) { -                        if (r == -ENOENT || r == -ENOEXEC) +                        if (r == -ENOENT || r == -ENOMEDIUM)                                  log_debug_errno(r, "did not find dedicated cgroup: %m");                          else                                  log_warning_errno(r, "failed to get cgroup: %m"); | 
