[thirdparty/systemd.git] / src / resolve / resolved-dnstls-gnutls.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS
#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
#endif

#include <gnutls/socket.h>

#include "resolved-dns-stream.h"
#include "resolved-dnstls.h"

#define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);

static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
        int r;

        assert(p);

        r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
        if (r < 0) {
                errno = -r;
                return -1;
        }

        return r;
}

int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
        _cleanup_(gnutls_deinitp) gnutls_session_t gs;
        int r;

        assert(stream);
        assert(server);

        r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
        if (r < 0)
                return r;

        /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
        r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL);
        if (r < 0)
                return r;

        r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
        if (r < 0)
                return r;

        if (server->dnstls_data.session_data.size > 0) {
                gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);

                // Clear old session ticket
                gnutls_free(server->dnstls_data.session_data.data);
                server->dnstls_data.session_data.data = NULL;
                server->dnstls_data.session_data.size = 0;
        }

        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
                if (server->server_name)
                        gnutls_session_set_verify_cert(gs, server->server_name, 0);
                else {
                        stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
                        if (server->family == AF_INET) {
                                stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
                                stream->dnstls_data.validation.size = 4;
                        } else {
                                stream->dnstls_data.validation.data = server->address.in6.s6_addr;
                                stream->dnstls_data.validation.size = 16;
                        }
                        gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
                }
        }

        if (server->server_name) {
                r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name));
                if (r < 0)
                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r));
        }

        gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);

        gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
        gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev);

        stream->encrypted = true;
        stream->dnstls_data.handshake = gnutls_handshake(gs);
        if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
                return -ECONNREFUSED;

        stream->dnstls_data.session = TAKE_PTR(gs);

        return 0;
}

void dnstls_stream_free(DnsStream *stream) {
        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.session)
                gnutls_deinit(stream->dnstls_data.session);
}

int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
        int r;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.session);

        if (stream->dnstls_data.shutdown) {
                r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
                if (r == GNUTLS_E_AGAIN) {
                        stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
                        return -EAGAIN;
                } else if (r < 0)
                        log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));

                stream->dnstls_events = 0;
                stream->dnstls_data.shutdown = false;
                dns_stream_unref(stream);
                return DNSTLS_STREAM_CLOSED;
        } else if (stream->dnstls_data.handshake < 0) {
                stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
                if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) {
                        stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
                        return -EAGAIN;
                } else if (stream->dnstls_data.handshake < 0) {
                        log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
                        if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
                                return -ECONNREFUSED;
                }

                stream->dnstls_events = 0;
        }

        return 0;
}

int dnstls_stream_shutdown(DnsStream *stream, int error) {
        int r;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.session);

        /* Store TLS Ticket for faster successive TLS handshakes */
        if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
                gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);

        if (IN_SET(error, ETIMEDOUT, 0)) {
                r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
                if (r == GNUTLS_E_AGAIN) {
                        if (!stream->dnstls_data.shutdown) {
                                stream->dnstls_data.shutdown = true;
                                dns_stream_ref(stream);
                                return -EAGAIN;
                        }
                } else if (r < 0)
                        log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
        }

        return 0;
}

ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.session);
        assert(buf);

        ss = gnutls_record_send(stream->dnstls_data.session, buf, count);
        if (ss < 0)
                switch(ss) {
                case GNUTLS_E_INTERRUPTED:
                        return -EINTR;
                case GNUTLS_E_AGAIN:
                        return -EAGAIN;
                default:
                        return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
                                               "Failed to invoke gnutls_record_send: %s",
                                               gnutls_strerror(ss));
                }

        return ss;
}

ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.session);
        assert(buf);

        ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
        if (ss < 0)
                switch(ss) {
                case GNUTLS_E_INTERRUPTED:
                        return -EINTR;
                case GNUTLS_E_AGAIN:
                        return -EAGAIN;
                default:
                        return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
                                               "Failed to invoke gnutls_record_recv: %s",
                                               gnutls_strerror(ss));
                }

        return ss;
}

void dnstls_server_free(DnsServer *server) {
        assert(server);

        if (server->dnstls_data.session_data.data)
                gnutls_free(server->dnstls_data.session_data.data);
}

int dnstls_manager_init(Manager *manager) {
        int r;
        assert(manager);

        r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
        if (r < 0)
                return -ENOMEM;

        r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
        if (r < 0)
                log_warning("Failed to load system trust store: %s", gnutls_strerror(r));

        return 0;
}

void dnstls_manager_free(Manager *manager) {
        assert(manager);

        if (manager->dnstls_data.cert_cred)
                gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
}
Commit	Line	Data
6016fcb0 IT	1	/* SPDX-License-Identifier: LGPL-2.1+ */
6016fcb0 IT	2
096cbdce	3	#if !ENABLE_DNS_OVER_TLS \|\| !DNS_OVER_TLS_USE_GNUTLS
6016fcb0 IT	4	#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
	5	#endif
	6
6016fcb0 IT	7	#include <gnutls/socket.h>
6016fcb0 IT	8
72938b93 YW	9	#include "resolved-dns-stream.h"
	10	#include "resolved-dnstls.h"
	11
7f95bb22	12	#define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
6016fcb0 IT	13	DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
	14
	15	static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
	16	int r;
	17
	18	assert(p);
	19
	20	r = dns_stream_writev((DnsStream) p, (const struct iovec) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
	21	if (r < 0) {
	22	errno = -r;
	23	return -1;
	24	}
	25
	26	return r;
	27	}
	28
	29	int dnstls_stream_connect_tls(DnsStream stream, DnsServer server) {
	30	_cleanup_(gnutls_deinitp) gnutls_session_t gs;
	31	int r;
	32
	33	assert(stream);
	34	assert(server);
	35
	36	r = gnutls_init(&gs, GNUTLS_CLIENT \| GNUTLS_ENABLE_FALSE_START \| GNUTLS_NONBLOCK);
	37	if (r < 0)
	38	return r;
	39
	40	/* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
7f95bb22	41	r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL);
6016fcb0 IT	42	if (r < 0)
	43	return r;
	44
e22c5b20	45	r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
6016fcb0 IT	46	if (r < 0)
	47	return r;
	48
	49	if (server->dnstls_data.session_data.size > 0) {
	50	gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);
	51
	52	// Clear old session ticket
	53	gnutls_free(server->dnstls_data.session_data.data);
	54	server->dnstls_data.session_data.data = NULL;
	55	server->dnstls_data.session_data.size = 0;
	56	}
	57
7f2f4fac	58	if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
eec394f1 JT	59	if (server->server_name)
	60	gnutls_session_set_verify_cert(gs, server->server_name, 0);
	61	else {
	62	stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
	63	if (server->family == AF_INET) {
	64	stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
	65	stream->dnstls_data.validation.size = 4;
	66	} else {
	67	stream->dnstls_data.validation.data = server->address.in6.s6_addr;
	68	stream->dnstls_data.validation.size = 16;
	69	}
	70	gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
7f2f4fac	71	}
7f2f4fac	72	}
4310bfc2	73
2e22a54f GL	74	if (server->server_name) {
	75	r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name));
	76	if (r < 0)
	77	return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r));
	78	}
	79
6016fcb0 IT	80	gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
	81
	82	gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
	83	gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev);
	84
	85	stream->encrypted = true;
	86	stream->dnstls_data.handshake = gnutls_handshake(gs);
	87	if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
	88	return -ECONNREFUSED;
	89
	90	stream->dnstls_data.session = TAKE_PTR(gs);
	91
	92	return 0;
	93	}
	94
	95	void dnstls_stream_free(DnsStream *stream) {
	96	assert(stream);
	97	assert(stream->encrypted);
	98
	99	if (stream->dnstls_data.session)
	100	gnutls_deinit(stream->dnstls_data.session);
	101	}
	102
04c4d919	103	int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
6016fcb0 IT	104	int r;
	105
	106	assert(stream);
	107	assert(stream->encrypted);
	108	assert(stream->dnstls_data.session);
	109
	110	if (stream->dnstls_data.shutdown) {
	111	r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
ba6aaf57 IT	112	if (r == GNUTLS_E_AGAIN) {
ba6aaf57 IT	113	stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
6016fcb0	114	return -EAGAIN;
ba6aaf57	115	} else if (r < 0)
6016fcb0 IT	116	log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
6016fcb0 IT	117
ba6aaf57	118	stream->dnstls_events = 0;
6016fcb0 IT	119	stream->dnstls_data.shutdown = false;
	120	dns_stream_unref(stream);
	121	return DNSTLS_STREAM_CLOSED;
	122	} else if (stream->dnstls_data.handshake < 0) {
	123	stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
ba6aaf57 IT	124	if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) {
ba6aaf57 IT	125	stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
6016fcb0	126	return -EAGAIN;
ba6aaf57	127	} else if (stream->dnstls_data.handshake < 0) {
6016fcb0 IT	128	log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
	129	if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
	130	return -ECONNREFUSED;
	131	}
ba6aaf57 IT	132
ba6aaf57 IT	133	stream->dnstls_events = 0;
6016fcb0 IT	134	}
	135
	136	return 0;
	137	}
	138
	139	int dnstls_stream_shutdown(DnsStream *stream, int error) {
	140	int r;
	141
	142	assert(stream);
	143	assert(stream->encrypted);
	144	assert(stream->dnstls_data.session);
	145
5238e957	146	/* Store TLS Ticket for faster successive TLS handshakes */
6016fcb0 IT	147	if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
	148	gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);
	149
	150	if (IN_SET(error, ETIMEDOUT, 0)) {
	151	r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
	152	if (r == GNUTLS_E_AGAIN) {
	153	if (!stream->dnstls_data.shutdown) {
	154	stream->dnstls_data.shutdown = true;
	155	dns_stream_ref(stream);
	156	return -EAGAIN;
	157	}
	158	} else if (r < 0)
	159	log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
	160	}
	161
	162	return 0;
	163	}
	164
	165	ssize_t dnstls_stream_write(DnsStream stream, const char buf, size_t count) {
	166	ssize_t ss;
	167
	168	assert(stream);
	169	assert(stream->encrypted);
	170	assert(stream->dnstls_data.session);
	171	assert(buf);
	172
	173	ss = gnutls_record_send(stream->dnstls_data.session, buf, count);
	174	if (ss < 0)
	175	switch(ss) {
	176	case GNUTLS_E_INTERRUPTED:
	177	return -EINTR;
	178	case GNUTLS_E_AGAIN:
	179	return -EAGAIN;
	180	default:
baaa35ad ZJS	181	return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
	182	"Failed to invoke gnutls_record_send: %s",
	183	gnutls_strerror(ss));
6016fcb0 IT	184	}
	185
	186	return ss;
	187	}
	188
	189	ssize_t dnstls_stream_read(DnsStream stream, void buf, size_t count) {
	190	ssize_t ss;
	191
	192	assert(stream);
	193	assert(stream->encrypted);
	194	assert(stream->dnstls_data.session);
	195	assert(buf);
	196
	197	ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
	198	if (ss < 0)
	199	switch(ss) {
	200	case GNUTLS_E_INTERRUPTED:
	201	return -EINTR;
	202	case GNUTLS_E_AGAIN:
	203	return -EAGAIN;
	204	default:
baaa35ad ZJS	205	return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
	206	"Failed to invoke gnutls_record_recv: %s",
	207	gnutls_strerror(ss));
6016fcb0 IT	208	}
	209
	210	return ss;
	211	}
	212
e22c5b20	213	void dnstls_server_free(DnsServer *server) {
6016fcb0 IT	214	assert(server);
6016fcb0 IT	215
e22c5b20 IT	216	if (server->dnstls_data.session_data.data)
e22c5b20 IT	217	gnutls_free(server->dnstls_data.session_data.data);
6016fcb0 IT	218	}
6016fcb0 IT	219
71a681ae	220	int dnstls_manager_init(Manager *manager) {
e22c5b20 IT	221	int r;
e22c5b20 IT	222	assert(manager);
6016fcb0	223
71a681ae	224	r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
e22c5b20	225	if (r < 0)
71a681ae IT	226	return -ENOMEM;
71a681ae IT	227
4310bfc2 IT	228	r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
	229	if (r < 0)
	230	log_warning("Failed to load system trust store: %s", gnutls_strerror(r));
	231
71a681ae	232	return 0;
e22c5b20	233	}
6016fcb0	234
e22c5b20 IT	235	void dnstls_manager_free(Manager *manager) {
	236	assert(manager);
	237
	238	if (manager->dnstls_data.cert_cred)
	239	gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
6016fcb0	240	}