Skip to content

Commit

Permalink
resolved: replace "answer_authenticated" bool by uint64_t query_flags…
Browse files Browse the repository at this point in the history 
… field

Let's use the same flags type we use for client communication, i.e.
instead of "bool answer_authenticated", let's use "uint64_t
answer_query_flags", with the SD_RESOLVED_AUTHENTICATED flag.

This is mostly just search/replace, i.e. a refactoring, no change in
behaviour.

This becomes useful once in a later commit SD_RESOLVED_CONFIDENTIAL is
added to indicate resolution that either were encrypted (DNS-over-TLS)
or never left the local system.
  • Loading branch information
@poettering
poettering committed Feb 16, 2021
1 parent 0e703bb commit 6f055e4
Show file tree
Hide file tree
Showing 6 changed files with 87 additions and 84 deletions.
62 changes: 36 additions & 26 deletions src/resolve/resolved-dns-cache.c
View file
Expand Up @@ -22,6 +22,8 @@
* now) */
#define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC)

#define CACHEABLE_QUERY_FLAGS (SD_RESOLVED_AUTHENTICATED)

typedef enum DnsCacheItemType DnsCacheItemType;
typedef struct DnsCacheItem DnsCacheItem;

Expand All @@ -41,8 +43,8 @@ struct DnsCacheItem {
int rcode;

usec_t until;
bool authenticated:1;
bool shared_owner:1;
uint64_t query_flags; /* SD_RESOLVED_AUTHENTICATED */
DnssecResult dnssec_result;

int ifindex;
Expand Down Expand Up @@ -353,7 +355,7 @@ static void dns_cache_item_update_positive(
DnsResourceRecord *rr,
DnsAnswer *answer,
DnsPacket *full_packet,
bool authenticated,
uint64_t query_flags,
bool shared_owner,
DnssecResult dnssec_result,
usec_t timestamp,
Expand Down Expand Up @@ -390,7 +392,7 @@ static void dns_cache_item_update_positive(
i->full_packet = full_packet;

i->until = calculate_until(rr, UINT32_MAX, timestamp, false);
i->authenticated = authenticated;
i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS;
i->shared_owner = shared_owner;
i->dnssec_result = dnssec_result;

Expand All @@ -407,7 +409,7 @@ static int dns_cache_put_positive(
DnsResourceRecord *rr,
DnsAnswer *answer,
DnsPacket *full_packet,
bool authenticated,
uint64_t query_flags,
bool shared_owner,
DnssecResult dnssec_result,
usec_t timestamp,
Expand Down Expand Up @@ -448,7 +450,7 @@ static int dns_cache_put_positive(
rr,
answer,
full_packet,
authenticated,
query_flags,
shared_owner,
dnssec_result,
timestamp,
Expand Down Expand Up @@ -476,7 +478,7 @@ static int dns_cache_put_positive(
.answer = dns_answer_ref(answer),
.full_packet = dns_packet_ref(full_packet),
.until = calculate_until(rr, (uint32_t) -1, timestamp, false),
.authenticated = authenticated,
.query_flags = query_flags & CACHEABLE_QUERY_FLAGS,
.shared_owner = shared_owner,
.dnssec_result = dnssec_result,
.ifindex = ifindex,
Expand All @@ -496,7 +498,7 @@ static int dns_cache_put_positive(
(void) in_addr_to_string(i->owner_family, &i->owner_address, &t);

log_debug("Added positive %s%s cache entry for %s "USEC_FMT"s on %s/%s/%s",
i->authenticated ? "authenticated" : "unauthenticated",
FLAGS_SET(i->query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unauthenticated",
i->shared_owner ? " shared" : "",
dns_resource_key_to_string(i->key, key_str, sizeof key_str),
(i->until - timestamp) / USEC_PER_SEC,
Expand All @@ -515,7 +517,7 @@ static int dns_cache_put_negative(
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
bool authenticated,
uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
usec_t timestamp,
Expand Down Expand Up @@ -566,7 +568,7 @@ static int dns_cache_put_negative(
.type =
rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA :
rcode == DNS_RCODE_NXDOMAIN ? DNS_CACHE_NXDOMAIN : DNS_CACHE_RCODE,
.authenticated = authenticated,
.query_flags = query_flags & CACHEABLE_QUERY_FLAGS,
.dnssec_result = dnssec_result,
.owner_family = owner_family,
.owner_address = *owner_address,
Expand Down Expand Up @@ -669,7 +671,7 @@ int dns_cache_put(
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
bool authenticated,
uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
int owner_family,
Expand Down Expand Up @@ -761,7 +763,7 @@ int dns_cache_put(
item->rr,
primary ? answer : NULL,
primary ? full_packet : NULL,
item->flags & DNS_ANSWER_AUTHENTICATED,
(item->flags & DNS_ANSWER_AUTHENTICATED) ? SD_RESOLVED_AUTHENTICATED : 0,
item->flags & DNS_ANSWER_SHARED_OWNER,
dnssec_result,
timestamp,
Expand Down Expand Up @@ -802,7 +804,8 @@ int dns_cache_put(
if (r > 0) {
/* Refuse using the SOA data if it is unsigned, but the key is
* signed */
if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) &&
(flags & DNS_ANSWER_AUTHENTICATED) == 0)
return 0;
}

Expand All @@ -819,7 +822,7 @@ int dns_cache_put(
rcode,
answer,
full_packet,
authenticated,
query_flags,
dnssec_result,
nsec_ttl,
timestamp,
Expand Down Expand Up @@ -951,7 +954,7 @@ int dns_cache_lookup(
int *ret_rcode,
DnsAnswer **ret_answer,
DnsPacket **ret_full_packet,
bool *ret_authenticated,
uint64_t *ret_query_flags,
DnssecResult *ret_dnssec_result) {

_cleanup_(dns_packet_unrefp) DnsPacket *full_packet = NULL;
Expand Down Expand Up @@ -1013,7 +1016,7 @@ int dns_cache_lookup(
n++;
}

if (j->authenticated)
if (FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED))
have_authenticated = true;
else
have_non_authenticated = true;
Expand Down Expand Up @@ -1049,7 +1052,14 @@ int dns_cache_lookup(
}

} else if (j->rr) {
r = answer_add_clamp_ttl(&answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0, NULL, query_flags, j->until, current);
r = answer_add_clamp_ttl(&answer,
j->rr,
j->ifindex,
FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0,
NULL,
query_flags,
j->until,
current);
if (r < 0)
return r;
}
Expand All @@ -1072,8 +1082,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
if (ret_authenticated)
*ret_authenticated = false;
if (ret_query_flags)
*ret_query_flags = 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;

Expand All @@ -1097,8 +1107,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
if (ret_authenticated)
*ret_authenticated = nsec->authenticated;
if (ret_query_flags)
*ret_query_flags = nsec->query_flags;
if (ret_dnssec_result)
*ret_dnssec_result = nsec->dnssec_result;

Expand Down Expand Up @@ -1127,8 +1137,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
if (ret_authenticated)
*ret_authenticated = have_authenticated && !have_non_authenticated;
if (ret_query_flags)
*ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;

Expand All @@ -1143,8 +1153,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
if (ret_authenticated)
*ret_authenticated = have_authenticated && !have_non_authenticated;
if (ret_query_flags)
*ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;

Expand All @@ -1157,8 +1167,8 @@ int dns_cache_lookup(
*ret_answer = NULL;
if (ret_full_packet)
*ret_full_packet = NULL;
if (ret_authenticated)
*ret_authenticated = false;
if (ret_query_flags)
*ret_query_flags = 0;
if (ret_dnssec_result)
*ret_dnssec_result = _DNSSEC_RESULT_INVALID;

Expand Down
4 changes: 2 additions & 2 deletions src/resolve/resolved-dns-cache.h
View file
Expand Up @@ -30,7 +30,7 @@ int dns_cache_put(
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
bool authenticated,
uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
int owner_family,
Expand All @@ -43,7 +43,7 @@ int dns_cache_lookup(
int *ret_rcode,
DnsAnswer **ret_answer,
DnsPacket **ret_full_packet,
bool *ret_authenticated,
uint64_t *ret_query_flags,
DnssecResult *ret_dnssec_result);

int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address);
Expand Down
25 changes: 13 additions & 12 deletions src/resolve/resolved-dns-query.c
View file
Expand Up @@ -346,7 +346,7 @@ static void dns_query_reset_answer(DnsQuery *q) {
q->answer_rcode = 0;
q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
q->answer_errno = 0;
q->answer_authenticated = false;
q->answer_query_flags = 0;
q->answer_protocol = _DNS_PROTOCOL_INVALID;
q->answer_family = AF_UNSPEC;
q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
Expand Down Expand Up @@ -630,7 +630,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
q->answer_rcode = DNS_RCODE_NXDOMAIN;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
q->answer_authenticated = true;
q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
*state = DNS_TRANSACTION_RCODE_FAILURE;

return 0;
Expand All @@ -644,7 +644,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
q->answer_rcode = DNS_RCODE_SUCCESS;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
q->answer_authenticated = true;
q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;

*state = DNS_TRANSACTION_SUCCESS;

Expand Down Expand Up @@ -676,7 +676,7 @@ static int dns_query_try_etc_hosts(DnsQuery *q) {
q->answer_rcode = DNS_RCODE_SUCCESS;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
q->answer_authenticated = true;
q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;

return 1;
}
Expand Down Expand Up @@ -817,7 +817,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
q->answer = dns_answer_unref(q->answer);
q->answer_rcode = 0;
q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
q->answer_authenticated = false;
q->answer_query_flags = 0;
q->answer_errno = c->error_code;
q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
}
Expand Down Expand Up @@ -845,7 +845,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
dns_packet_unref(q->answer_full_packet);
q->answer_full_packet = dns_packet_ref(t->received);

if (t->answer_authenticated) {
if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
has_authenticated = true;
dnssec_result_authenticated = t->answer_dnssec_result;
} else {
Expand All @@ -870,14 +870,15 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
continue;

/* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
if (q->answer_authenticated && !t->answer_authenticated)
if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
!FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
continue;

dns_answer_unref(q->answer);
q->answer = dns_answer_ref(t->answer);
q->answer_rcode = t->answer_rcode;
q->answer_dnssec_result = t->answer_dnssec_result;
q->answer_authenticated = t->answer_authenticated;
q->answer_query_flags = t->answer_query_flags;
q->answer_errno = t->answer_errno;
dns_packet_unref(q->answer_full_packet);
q->answer_full_packet = dns_packet_ref(t->received);
Expand All @@ -888,8 +889,8 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
}

if (state == DNS_TRANSACTION_SUCCESS) {
q->answer_authenticated = has_authenticated && !has_non_authenticated;
q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
}

q->answer_protocol = c->scope->protocol;
Expand Down Expand Up @@ -1049,7 +1050,7 @@ int dns_query_process_cname(DnsQuery *q) {
if (q->flags & SD_RESOLVED_NO_CNAME)
return -ELOOP;

if (!q->answer_authenticated)
if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
q->previous_redirect_unauthenticated = true;

/* OK, let's actually follow the CNAME */
Expand Down Expand Up @@ -1119,5 +1120,5 @@ const char *dns_query_string(DnsQuery *q) {
bool dns_query_fully_authenticated(DnsQuery *q) {
assert(q);

return q->answer_authenticated && !q->previous_redirect_unauthenticated;
return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
}
2 changes: 1 addition & 1 deletion src/resolve/resolved-dns-query.h
View file
Expand Up @@ -66,7 +66,7 @@ struct DnsQuery {
DnsAnswer *answer;
int answer_rcode;
DnssecResult answer_dnssec_result;
bool answer_authenticated;
uint64_t answer_query_flags;
DnsProtocol answer_protocol;
int answer_family;
DnsSearchDomain *answer_search_domain;
Expand Down

0 comments on commit 6f055e4

Please sign in to comment.