]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dnstls-gnutls.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #15669 from andir/systemd-ipv6-pd-subnet-id
[thirdparty/systemd.git] / src / resolve / resolved-dnstls-gnutls.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS
4 #error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
5 #endif
6
7 #include <gnutls/socket.h>
8
9 #include "resolved-dns-stream.h"
10 #include "resolved-dnstls.h"
11 #include "resolved-manager.h"
12
13 #define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
14 DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
15
16 static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
17 int r;
18
19 assert(p);
20
21 r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
22 if (r < 0) {
23 errno = -r;
24 return -1;
25 }
26
27 return r;
28 }
29
30 int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
31 _cleanup_(gnutls_deinitp) gnutls_session_t gs = NULL;
32 int r;
33
34 assert(stream);
35 assert(server);
36
37 r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
38 if (r < 0)
39 return r;
40
41 /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
42 r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL);
43 if (r < 0)
44 return r;
45
46 r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
47 if (r < 0)
48 return r;
49
50 if (server->dnstls_data.session_data.size > 0) {
51 gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);
52
53 // Clear old session ticket
54 gnutls_free(server->dnstls_data.session_data.data);
55 server->dnstls_data.session_data.data = NULL;
56 server->dnstls_data.session_data.size = 0;
57 }
58
59 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
60 if (server->server_name)
61 gnutls_session_set_verify_cert(gs, server->server_name, 0);
62 else {
63 stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
64 if (server->family == AF_INET) {
65 stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
66 stream->dnstls_data.validation.size = 4;
67 } else {
68 stream->dnstls_data.validation.data = server->address.in6.s6_addr;
69 stream->dnstls_data.validation.size = 16;
70 }
71 gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
72 }
73 }
74
75 if (server->server_name) {
76 r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name));
77 if (r < 0)
78 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r));
79 }
80
81 gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
82
83 gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
84 gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev);
85
86 stream->encrypted = true;
87 stream->dnstls_data.handshake = gnutls_handshake(gs);
88 if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
89 return -ECONNREFUSED;
90
91 stream->dnstls_data.session = TAKE_PTR(gs);
92
93 return 0;
94 }
95
96 void dnstls_stream_free(DnsStream *stream) {
97 assert(stream);
98 assert(stream->encrypted);
99
100 if (stream->dnstls_data.session)
101 gnutls_deinit(stream->dnstls_data.session);
102 }
103
104 int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
105 int r;
106
107 assert(stream);
108 assert(stream->encrypted);
109 assert(stream->dnstls_data.session);
110
111 if (stream->dnstls_data.shutdown) {
112 r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
113 if (r == GNUTLS_E_AGAIN) {
114 stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
115 return -EAGAIN;
116 } else if (r < 0)
117 log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
118
119 stream->dnstls_events = 0;
120 stream->dnstls_data.shutdown = false;
121 dns_stream_unref(stream);
122 return DNSTLS_STREAM_CLOSED;
123 } else if (stream->dnstls_data.handshake < 0) {
124 stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
125 if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) {
126 stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
127 return -EAGAIN;
128 } else if (stream->dnstls_data.handshake < 0) {
129 log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
130 if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
131 return -ECONNREFUSED;
132 }
133
134 stream->dnstls_events = 0;
135 }
136
137 return 0;
138 }
139
140 int dnstls_stream_shutdown(DnsStream *stream, int error) {
141 int r;
142
143 assert(stream);
144 assert(stream->encrypted);
145 assert(stream->dnstls_data.session);
146
147 /* Store TLS Ticket for faster successive TLS handshakes */
148 if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
149 gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);
150
151 if (IN_SET(error, ETIMEDOUT, 0)) {
152 r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
153 if (r == GNUTLS_E_AGAIN) {
154 if (!stream->dnstls_data.shutdown) {
155 stream->dnstls_data.shutdown = true;
156 dns_stream_ref(stream);
157 return -EAGAIN;
158 }
159 } else if (r < 0)
160 log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
161 }
162
163 return 0;
164 }
165
166 ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
167 ssize_t ss;
168
169 assert(stream);
170 assert(stream->encrypted);
171 assert(stream->dnstls_data.session);
172 assert(buf);
173
174 ss = gnutls_record_send(stream->dnstls_data.session, buf, count);
175 if (ss < 0)
176 switch(ss) {
177 case GNUTLS_E_INTERRUPTED:
178 return -EINTR;
179 case GNUTLS_E_AGAIN:
180 return -EAGAIN;
181 default:
182 return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
183 "Failed to invoke gnutls_record_send: %s",
184 gnutls_strerror(ss));
185 }
186
187 return ss;
188 }
189
190 ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
191 ssize_t ss;
192
193 assert(stream);
194 assert(stream->encrypted);
195 assert(stream->dnstls_data.session);
196 assert(buf);
197
198 ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
199 if (ss < 0)
200 switch(ss) {
201 case GNUTLS_E_INTERRUPTED:
202 return -EINTR;
203 case GNUTLS_E_AGAIN:
204 return -EAGAIN;
205 default:
206 return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
207 "Failed to invoke gnutls_record_recv: %s",
208 gnutls_strerror(ss));
209 }
210
211 return ss;
212 }
213
214 void dnstls_server_free(DnsServer *server) {
215 assert(server);
216
217 if (server->dnstls_data.session_data.data)
218 gnutls_free(server->dnstls_data.session_data.data);
219 }
220
221 int dnstls_manager_init(Manager *manager) {
222 int r;
223 assert(manager);
224
225 r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
226 if (r < 0)
227 return -ENOMEM;
228
229 r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
230 if (r < 0)
231 log_warning("Failed to load system trust store: %s", gnutls_strerror(r));
232
233 return 0;
234 }
235
236 void dnstls_manager_free(Manager *manager) {
237 assert(manager);
238
239 if (manager->dnstls_data.cert_cred)
240 gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
241 }
Unnamed repository; edit this file 'description' to name the repository.