From d0907a3a1f573eb8b072d7eb558a699c6c87eee4 Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Wed, 19 Mar 2025 15:11:26 +0200
Subject: [PATCH] TLS DNS: Simplify tls_cycle_input()

This commit simplifies code flow in the tls_cycle_input() and makes
the incoming data processing similar to that in TCP DNS. In
particular, now we decipher all the the incoming data before making a
single isc__nm_process_sock_buffer() call. Previously we would try to
decipher data bit-by-bit before trying to process the deciphered bit
via isc__nm_process_sock_buffer(). Doing like before made the code
much less predictable, in particular in the areas like when reading is
paused or resumed.

The newer approach also allowed us to get rid of some old kludges.
---
 lib/isc/netmgr/tlsdns.c | 40 ++++++++--------------------------------
 1 file changed, 8 insertions(+), 32 deletions(-)

diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c
index 127e09a8a7..bd3c2bdd35 100644
--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@@ -1086,20 +1086,8 @@ tls_cycle_input(isc_nmsocket_t *sock) {
 	if (sock->tls.state == TLS_STATE_IO) {
 		size_t len;
 
+		/* 1. Decrypt the incoming data */
 		for (;;) {
-			/*
-			 * There is a similar branch in
-			 * isc__nm_process_sock_buffer() which is sufficient to
-			 * stop excessive processing in TCP. However, as we wrap
-			 * this call in a loop, we need to have it here in order
-			 * to limit the number of loop iterations (and,
-			 * consequently, the number of messages processed).
-			 */
-			if (atomic_load(&sock->ah) >= STREAM_CLIENTS_PER_CONN) {
-				isc__nm_stop_reading(sock);
-				break;
-			}
-
 			(void)SSL_peek(sock->tls.tls, &(char){ '\0' }, 0);
 
 			int pending = SSL_pending(sock->tls.tls);
@@ -1120,34 +1108,22 @@ tls_cycle_input(isc_nmsocket_t *sock) {
 						 sock->buf_size - sock->buf_len,
 						 &len);
 				if (rv != 1) {
-					/*
-					 * Process what's in the buffer so far
-					 */
-					result = isc__nm_process_sock_buffer(
-						sock);
-					if (result != ISC_R_SUCCESS) {
-						goto failure;
-					}
-					/*
-					 * FIXME: Should we call
-					 * isc__nm_failed_read_cb()?
-					 */
 					break;
 				}
 
 				INSIST((size_t)pending == len);
 
 				sock->buf_len += len;
-			}
-			result = isc__nm_process_sock_buffer(sock);
-			if (result != ISC_R_SUCCESS) {
-				goto failure;
-			}
-
-			if (pending == 0) {
+			} else {
 				break;
 			}
 		}
+
+		/* 2. Process the incoming data */
+		result = isc__nm_process_sock_buffer(sock);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
 	} else if (!SSL_is_init_finished(sock->tls.tls)) {
 		if (SSL_is_server(sock->tls.tls)) {
 			rv = SSL_accept(sock->tls.tls);