]>
Commit | Line | Data |
---|---|---|
6016fcb0 IT |
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | ||
096cbdce | 3 | #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS |
6016fcb0 IT |
4 | #error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available. |
5 | #endif | |
6 | ||
6016fcb0 IT |
7 | #include <gnutls/socket.h> |
8 | ||
72938b93 YW |
9 | #include "resolved-dns-stream.h" |
10 | #include "resolved-dnstls.h" | |
11 | ||
7f95bb22 | 12 | #define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" |
6016fcb0 IT |
13 | DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit); |
14 | ||
15 | static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) { | |
16 | int r; | |
17 | ||
18 | assert(p); | |
19 | ||
20 | r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA); | |
21 | if (r < 0) { | |
22 | errno = -r; | |
23 | return -1; | |
24 | } | |
25 | ||
26 | return r; | |
27 | } | |
28 | ||
29 | int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { | |
30 | _cleanup_(gnutls_deinitp) gnutls_session_t gs; | |
31 | int r; | |
32 | ||
33 | assert(stream); | |
34 | assert(server); | |
35 | ||
36 | r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); | |
37 | if (r < 0) | |
38 | return r; | |
39 | ||
40 | /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ | |
7f95bb22 | 41 | r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL); |
6016fcb0 IT |
42 | if (r < 0) |
43 | return r; | |
44 | ||
e22c5b20 | 45 | r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred); |
6016fcb0 IT |
46 | if (r < 0) |
47 | return r; | |
48 | ||
49 | if (server->dnstls_data.session_data.size > 0) { | |
50 | gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size); | |
51 | ||
52 | // Clear old session ticket | |
53 | gnutls_free(server->dnstls_data.session_data.data); | |
54 | server->dnstls_data.session_data.data = NULL; | |
55 | server->dnstls_data.session_data.size = 0; | |
56 | } | |
57 | ||
7f2f4fac | 58 | if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { |
eec394f1 JT |
59 | if (server->server_name) |
60 | gnutls_session_set_verify_cert(gs, server->server_name, 0); | |
61 | else { | |
62 | stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS; | |
63 | if (server->family == AF_INET) { | |
64 | stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr; | |
65 | stream->dnstls_data.validation.size = 4; | |
66 | } else { | |
67 | stream->dnstls_data.validation.data = server->address.in6.s6_addr; | |
68 | stream->dnstls_data.validation.size = 16; | |
69 | } | |
70 | gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0); | |
7f2f4fac | 71 | } |
7f2f4fac | 72 | } |
4310bfc2 | 73 | |
2e22a54f GL |
74 | if (server->server_name) { |
75 | r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name)); | |
76 | if (r < 0) | |
77 | return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r)); | |
78 | } | |
79 | ||
6016fcb0 IT |
80 | gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); |
81 | ||
82 | gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream); | |
83 | gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev); | |
84 | ||
85 | stream->encrypted = true; | |
86 | stream->dnstls_data.handshake = gnutls_handshake(gs); | |
87 | if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake)) | |
88 | return -ECONNREFUSED; | |
89 | ||
90 | stream->dnstls_data.session = TAKE_PTR(gs); | |
91 | ||
92 | return 0; | |
93 | } | |
94 | ||
95 | void dnstls_stream_free(DnsStream *stream) { | |
96 | assert(stream); | |
97 | assert(stream->encrypted); | |
98 | ||
99 | if (stream->dnstls_data.session) | |
100 | gnutls_deinit(stream->dnstls_data.session); | |
101 | } | |
102 | ||
04c4d919 | 103 | int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { |
6016fcb0 IT |
104 | int r; |
105 | ||
106 | assert(stream); | |
107 | assert(stream->encrypted); | |
108 | assert(stream->dnstls_data.session); | |
109 | ||
110 | if (stream->dnstls_data.shutdown) { | |
111 | r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); | |
ba6aaf57 IT |
112 | if (r == GNUTLS_E_AGAIN) { |
113 | stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; | |
6016fcb0 | 114 | return -EAGAIN; |
ba6aaf57 | 115 | } else if (r < 0) |
6016fcb0 IT |
116 | log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); |
117 | ||
ba6aaf57 | 118 | stream->dnstls_events = 0; |
6016fcb0 IT |
119 | stream->dnstls_data.shutdown = false; |
120 | dns_stream_unref(stream); | |
121 | return DNSTLS_STREAM_CLOSED; | |
122 | } else if (stream->dnstls_data.handshake < 0) { | |
123 | stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session); | |
ba6aaf57 IT |
124 | if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) { |
125 | stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; | |
6016fcb0 | 126 | return -EAGAIN; |
ba6aaf57 | 127 | } else if (stream->dnstls_data.handshake < 0) { |
6016fcb0 IT |
128 | log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake)); |
129 | if (gnutls_error_is_fatal(stream->dnstls_data.handshake)) | |
130 | return -ECONNREFUSED; | |
131 | } | |
ba6aaf57 IT |
132 | |
133 | stream->dnstls_events = 0; | |
6016fcb0 IT |
134 | } |
135 | ||
136 | return 0; | |
137 | } | |
138 | ||
139 | int dnstls_stream_shutdown(DnsStream *stream, int error) { | |
140 | int r; | |
141 | ||
142 | assert(stream); | |
143 | assert(stream->encrypted); | |
144 | assert(stream->dnstls_data.session); | |
145 | ||
5238e957 | 146 | /* Store TLS Ticket for faster successive TLS handshakes */ |
6016fcb0 IT |
147 | if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS) |
148 | gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data); | |
149 | ||
150 | if (IN_SET(error, ETIMEDOUT, 0)) { | |
151 | r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); | |
152 | if (r == GNUTLS_E_AGAIN) { | |
153 | if (!stream->dnstls_data.shutdown) { | |
154 | stream->dnstls_data.shutdown = true; | |
155 | dns_stream_ref(stream); | |
156 | return -EAGAIN; | |
157 | } | |
158 | } else if (r < 0) | |
159 | log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); | |
160 | } | |
161 | ||
162 | return 0; | |
163 | } | |
164 | ||
165 | ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) { | |
166 | ssize_t ss; | |
167 | ||
168 | assert(stream); | |
169 | assert(stream->encrypted); | |
170 | assert(stream->dnstls_data.session); | |
171 | assert(buf); | |
172 | ||
173 | ss = gnutls_record_send(stream->dnstls_data.session, buf, count); | |
174 | if (ss < 0) | |
175 | switch(ss) { | |
176 | case GNUTLS_E_INTERRUPTED: | |
177 | return -EINTR; | |
178 | case GNUTLS_E_AGAIN: | |
179 | return -EAGAIN; | |
180 | default: | |
baaa35ad ZJS |
181 | return log_debug_errno(SYNTHETIC_ERRNO(EPIPE), |
182 | "Failed to invoke gnutls_record_send: %s", | |
183 | gnutls_strerror(ss)); | |
6016fcb0 IT |
184 | } |
185 | ||
186 | return ss; | |
187 | } | |
188 | ||
189 | ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { | |
190 | ssize_t ss; | |
191 | ||
192 | assert(stream); | |
193 | assert(stream->encrypted); | |
194 | assert(stream->dnstls_data.session); | |
195 | assert(buf); | |
196 | ||
197 | ss = gnutls_record_recv(stream->dnstls_data.session, buf, count); | |
198 | if (ss < 0) | |
199 | switch(ss) { | |
200 | case GNUTLS_E_INTERRUPTED: | |
201 | return -EINTR; | |
202 | case GNUTLS_E_AGAIN: | |
203 | return -EAGAIN; | |
204 | default: | |
baaa35ad ZJS |
205 | return log_debug_errno(SYNTHETIC_ERRNO(EPIPE), |
206 | "Failed to invoke gnutls_record_recv: %s", | |
207 | gnutls_strerror(ss)); | |
6016fcb0 IT |
208 | } |
209 | ||
210 | return ss; | |
211 | } | |
212 | ||
e22c5b20 | 213 | void dnstls_server_free(DnsServer *server) { |
6016fcb0 IT |
214 | assert(server); |
215 | ||
e22c5b20 IT |
216 | if (server->dnstls_data.session_data.data) |
217 | gnutls_free(server->dnstls_data.session_data.data); | |
6016fcb0 IT |
218 | } |
219 | ||
71a681ae | 220 | int dnstls_manager_init(Manager *manager) { |
e22c5b20 IT |
221 | int r; |
222 | assert(manager); | |
6016fcb0 | 223 | |
71a681ae | 224 | r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred); |
e22c5b20 | 225 | if (r < 0) |
71a681ae IT |
226 | return -ENOMEM; |
227 | ||
4310bfc2 IT |
228 | r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred); |
229 | if (r < 0) | |
230 | log_warning("Failed to load system trust store: %s", gnutls_strerror(r)); | |
231 | ||
71a681ae | 232 | return 0; |
e22c5b20 | 233 | } |
6016fcb0 | 234 | |
e22c5b20 IT |
235 | void dnstls_manager_free(Manager *manager) { |
236 | assert(manager); | |
237 | ||
238 | if (manager->dnstls_data.cert_cred) | |
239 | gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred); | |
6016fcb0 | 240 | } |