diff options
author | Joan Bruguera <joanbrugueram@gmail.com> | 2022-01-31 21:28:32 +0100 |
---|---|---|
committer | Joan Bruguera <joanbrugueram@gmail.com> | 2022-02-01 19:24:40 +0100 |
commit | aa892849d50e9dd5da03a628463ccf6c55ff1b44 (patch) | |
tree | eb03296903e34a2da1f899f873415685426ed8c5 /src/resolve/resolved-dns-stream.c | |
parent | eff107736e17bfe43680c42ae39baa3d41fb4715 (diff) | |
download | systemd-aa892849d50e9dd5da03a628463ccf6c55ff1b44.tar.gz |
resolved: Avoid multiple SSL writes per DoT packet
In the DoT case, dns_stream_writev decomposed an iovec into multiple
dnstls_stream_write calls, which resulted in multiple SSL writes and multiple
TLS records. This can be checked from a network capture, e.g. using socat:
socat -v -x openssl-listen:853,reuseaddr,fork,cert=my.cert,key=my.key,verify=0 openssl:8.8.8.8:853
Instead, propagate the iovec as-is into the DoT handling code. For GnuTLS, the
library provides support for buffering ('corking') a record. OpenSSL has no
such facility, so we join the iovec into a single buffer then call SSL_write.
socat capture of `resolvectl -4 query --cache=no example.com` before the commit:
> 2022/01/30 13:35:52.194200 length=2 from=0 to=1
00 28 .(
--
> 2022/01/30 13:35:52.194253 length=40 from=2 to=41
1e b2 01 00 00 01 00 00 00 00 00 01 07 65 78 61 .............exa
6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00 29 mple.com.......)
ff e4 00 00 00 00 00 00 ........
--
< 2022/01/30 13:35:52.232798 length=58 from=0 to=57
00 38 1e b2 81 80 00 01 00 01 00 00 00 01 07 65 .8.............e
78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 xample.com......
0c 00 01 00 01 00 00 53 6f 00 04 5d b8 d8 22 00 .......So..]..".
00 29 02 00 00 00 00 00 00 00 .)........
socat capture of `resolvectl -4 query --cache=no example.com` after the commit:
> 2022/01/30 13:34:47.598099 length=42 from=504 to=545
00 28 37 86 01 00 00 01 00 00 00 00 00 01 07 65 .(7............e
78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 xample.com......
00 29 ff e4 00 00 00 00 00 00 .)........
--
< 2022/01/30 13:34:47.613203 length=58 from=756 to=813
00 38 37 86 81 80 00 01 00 01 00 00 00 01 07 65 .87............e
78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 xample.com......
0c 00 01 00 01 00 00 52 5e 00 04 5d b8 d8 22 00 .......R^..]..".
00 29 02 00 00 00 00 00 00 00 .)........
Diffstat (limited to 'src/resolve/resolved-dns-stream.c')
-rw-r--r-- | src/resolve/resolved-dns-stream.c | 18 |
1 files changed, 3 insertions, 15 deletions
diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index 290c28ed65..5c4a9ebb99 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -210,22 +210,10 @@ ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, assert(iov); #if ENABLE_DNS_OVER_TLS - if (s->encrypted && !(flags & DNS_STREAM_WRITE_TLS_DATA)) { - ssize_t ss; - size_t i; - - m = 0; - for (i = 0; i < iovcnt; i++) { - ss = dnstls_stream_write(s, iov[i].iov_base, iov[i].iov_len); - if (ss < 0) - return ss; - - m += ss; - if (ss != (ssize_t) iov[i].iov_len) - continue; - } - } else + if (s->encrypted && !(flags & DNS_STREAM_WRITE_TLS_DATA)) + return dnstls_stream_writev(s, iov, iovcnt); #endif + if (s->tfo_salen > 0) { struct msghdr hdr = { .msg_iov = (struct iovec*) iov, |