From ba6aaf572774a49ec2ece32fff492ed814d60922 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Thu, 26 Jul 2018 20:34:16 +0100 Subject: [PATCH] resolved: set io events after receiving EAGAIN for TLS During handshake and TLS session closing, messages needs to be exchanged. Therefore this patch overrides the requested IO events for the TCP stream when the TLS is waiting for sending or receiving of messages during theses periods. This fixes issues with correctly closing the TLS stream and prevents the handshake from hanging in rare cases (not seen yet). --- src/resolve/resolved-dns-stream.c | 17 +++++++++++++++-- src/resolve/resolved-dns-stream.h | 1 + src/resolve/resolved-dnstls-gnutls.c | 13 +++++++++---- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index ee392efb9da..36205a895c8 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -36,6 +36,12 @@ static int dns_stream_update_io(DnsStream *s) { if (!s->read_packet || s->n_read < sizeof(s->read_size) + s->read_packet->size) f |= EPOLLIN; +#if ENABLE_DNS_OVER_TLS + /* For handshake and clean closing purposes, TLS can override requested events */ + if (s->dnstls_events) + f = s->dnstls_events; +#endif + return sd_event_source_set_io_events(s->io_event_source, f); } @@ -274,10 +280,17 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use if (s->encrypted) { r = dnstls_stream_on_io(s); - if (r == DNSTLS_STREAM_CLOSED || r == -EAGAIN) + if (r == DNSTLS_STREAM_CLOSED) return 0; - else if (r < 0) + else if (r == -EAGAIN) + return dns_stream_update_io(s); + else if (r < 0) { return dns_stream_complete(s, -r); + } else { + r = dns_stream_update_io(s); + if (r < 0) + return r; + } } #endif diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h index d64dc3b1d42..72db2a1a56a 100644 --- a/src/resolve/resolved-dns-stream.h +++ b/src/resolve/resolved-dns-stream.h @@ -42,6 +42,7 @@ struct DnsStream { #if ENABLE_DNS_OVER_TLS DnsTlsStreamData dnstls_data; + int dnstls_events; #endif sd_event_source *io_event_source; diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index 9c348cef678..36ee570b461 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -86,23 +86,28 @@ int dnstls_stream_on_io(DnsStream *stream) { if (stream->dnstls_data.shutdown) { r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); - if (r == GNUTLS_E_AGAIN) + if (r == GNUTLS_E_AGAIN) { + stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; return -EAGAIN; - else if (r < 0) + } else if (r < 0) log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); + stream->dnstls_events = 0; stream->dnstls_data.shutdown = false; dns_stream_unref(stream); return DNSTLS_STREAM_CLOSED; } else if (stream->dnstls_data.handshake < 0) { stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session); - if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) + if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) { + stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; return -EAGAIN; - else if (stream->dnstls_data.handshake < 0) { + } else if (stream->dnstls_data.handshake < 0) { log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake)); if (gnutls_error_is_fatal(stream->dnstls_data.handshake)) return -ECONNREFUSED; } + + stream->dnstls_events = 0; } return 0;