[thirdparty/systemd.git] / src / resolve / resolved-dnstls-openssl.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
#endif

#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>

#include "io-util.h"
#include "resolved-dns-stream.h"
#include "resolved-dnstls.h"
#include "resolved-manager.h"

DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);

static int dnstls_flush_write_buffer(DnsStream *stream) {
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.buffer_offset < stream->dnstls_data.write_buffer->length) {
                assert(stream->dnstls_data.write_buffer->data);

                struct iovec iov[1];
                iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data + stream->dnstls_data.buffer_offset,
                                    stream->dnstls_data.write_buffer->length - stream->dnstls_data.buffer_offset);
                ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
                if (ss < 0) {
                        if (ss == -EAGAIN)
                                stream->dnstls_events |= EPOLLOUT;

                        return ss;
                } else {
                        stream->dnstls_data.buffer_offset += ss;

                        if (stream->dnstls_data.buffer_offset < stream->dnstls_data.write_buffer->length) {
                                stream->dnstls_events |= EPOLLOUT;
                                return -EAGAIN;
                        } else {
                                BIO_reset(SSL_get_wbio(stream->dnstls_data.ssl));
                                stream->dnstls_data.buffer_offset = 0;
                        }
                }
        }

        return 0;
}

int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
        _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL;
        _cleanup_(SSL_freep) SSL *s = NULL;
        int error, r;

        assert(stream);
        assert(stream->manager);
        assert(server);

        rb = BIO_new_socket(stream->fd, 0);
        if (!rb)
                return -ENOMEM;

        wb = BIO_new(BIO_s_mem());
        if (!wb)
                return -ENOMEM;

        BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
        stream->dnstls_data.buffer_offset = 0;

        s = SSL_new(stream->manager->dnstls_data.ctx);
        if (!s)
                return -ENOMEM;

        SSL_set_connect_state(s);
        r = SSL_set_session(s, server->dnstls_data.session);
        if (r == 0)
                return -EIO;
        SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));

        if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
                X509_VERIFY_PARAM *v;

                SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
                v = SSL_get0_param(s);
                if (server->server_name) {
                        X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
                        if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
                                return -ECONNREFUSED;
                } else {
                        const unsigned char *ip;
                        ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
                        if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
                                return -ECONNREFUSED;
                }
        }

        if (server->server_name) {
                r = SSL_set_tlsext_host_name(s, server->server_name);
                if (r <= 0) {
                        char errbuf[256];

                        error = ERR_get_error();
                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", errbuf);
                }
        }

        ERR_clear_error();
        stream->dnstls_data.handshake = SSL_do_handshake(s);
        if (stream->dnstls_data.handshake <= 0) {
                error = SSL_get_error(s, stream->dnstls_data.handshake);
                if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
                                               "Failed to invoke SSL_do_handshake: %s", errbuf);
                }
        }

        stream->encrypted = true;
        stream->dnstls_data.ssl = TAKE_PTR(s);

        r = dnstls_flush_write_buffer(stream);
        if (r < 0 && r != -EAGAIN) {
                SSL_free(TAKE_PTR(stream->dnstls_data.ssl));
                return r;
        }

        return 0;
}

void dnstls_stream_free(DnsStream *stream) {
        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.ssl)
                SSL_free(stream->dnstls_data.ssl);
}

int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
        int error, r;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);

        /* Flush write buffer when requested by OpenSSL */
        if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        if (stream->dnstls_data.shutdown) {
                ERR_clear_error();
                r = SSL_shutdown(stream->dnstls_data.ssl);
                if (r == 0) {
                        stream->dnstls_events = 0;

                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        return -EAGAIN;
                } else if (r < 0) {
                        error = SSL_get_error(stream->dnstls_data.ssl, r);
                        if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;

                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0)
                                        return r;

                                return -EAGAIN;
                        } else if (error == SSL_ERROR_SYSCALL) {
                                if (errno > 0)
                                        log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
                        }
                }

                stream->dnstls_events = 0;
                stream->dnstls_data.shutdown = false;

                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;

                dns_stream_unref(stream);
                return DNSTLS_STREAM_CLOSED;
        } else if (stream->dnstls_data.handshake <= 0) {
                ERR_clear_error();
                stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
                if (stream->dnstls_data.handshake <= 0) {
                        error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
                        if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0)
                                        return r;

                                return -EAGAIN;
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
                                return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
                                                       "Failed to invoke SSL_do_handshake: %s",
                                                       errbuf);
                        }
                }

                stream->dnstls_events = 0;
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        return 0;
}

int dnstls_stream_shutdown(DnsStream *stream, int error) {
        int ssl_error, r;
        SSL_SESSION *s;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);

        if (stream->server) {
                s = SSL_get1_session(stream->dnstls_data.ssl);
                if (s) {
                        if (stream->server->dnstls_data.session)
                                SSL_SESSION_free(stream->server->dnstls_data.session);

                        stream->server->dnstls_data.session = s;
                }
        }

        if (error == ETIMEDOUT) {
                ERR_clear_error();
                r = SSL_shutdown(stream->dnstls_data.ssl);
                if (r == 0) {
                        if (!stream->dnstls_data.shutdown) {
                                stream->dnstls_data.shutdown = true;
                                dns_stream_ref(stream);
                        }

                        stream->dnstls_events = 0;

                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        return -EAGAIN;
                } else if (r < 0) {
                        ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
                        if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0 && r != -EAGAIN)
                                        return r;

                                if (!stream->dnstls_data.shutdown) {
                                        stream->dnstls_data.shutdown = true;
                                        dns_stream_ref(stream);
                                }
                                return -EAGAIN;
                        } else if (ssl_error == SSL_ERROR_SYSCALL) {
                                if (errno > 0)
                                        log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
                        }
                }

                stream->dnstls_events = 0;
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        return 0;
}

ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
        int error, r;
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);
        assert(buf);

        ERR_clear_error();
        ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
        if (r <= 0) {
                error = SSL_get_error(stream->dnstls_data.ssl, r);
                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                        ss = -EAGAIN;
                } else if (error == SSL_ERROR_ZERO_RETURN) {
                        stream->dnstls_events = 0;
                        ss = 0;
                } else {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_write: %s", errbuf);
                        stream->dnstls_events = 0;
                        ss = -EPIPE;
                }
        } else
                stream->dnstls_events = 0;

        r = dnstls_flush_write_buffer(stream);
        if (r < 0)
                return r;

        return ss;
}

ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
        int error, r;
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);
        assert(buf);

        ERR_clear_error();
        ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
        if (r <= 0) {
                error = SSL_get_error(stream->dnstls_data.ssl, r);
                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                        ss = -EAGAIN;
                } else if (error == SSL_ERROR_ZERO_RETURN) {
                        stream->dnstls_events = 0;
                        ss = 0;
                } else {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_read: %s", errbuf);
                        stream->dnstls_events = 0;
                        ss = -EPIPE;
                }
        } else
                stream->dnstls_events = 0;

        /* flush write buffer in cache of renegotiation */
        r = dnstls_flush_write_buffer(stream);
        if (r < 0)
                return r;

        return ss;
}

void dnstls_server_free(DnsServer *server) {
        assert(server);

        if (server->dnstls_data.session)
                SSL_SESSION_free(server->dnstls_data.session);
}

int dnstls_manager_init(Manager *manager) {
        int r;

        assert(manager);

        ERR_load_crypto_strings();
        SSL_load_error_strings();

        manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
        if (!manager->dnstls_data.ctx)
                return -ENOMEM;

        r = SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION);
        if (r == 0)
                return -EIO;

        (void) SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);

        r = SSL_CTX_set_default_verify_paths(manager->dnstls_data.ctx);
        if (r == 0)
                return log_warning_errno(SYNTHETIC_ERRNO(EIO),
                                         "Failed to load system trust store: %s",
                                         ERR_error_string(ERR_get_error(), NULL));

        return 0;
}

void dnstls_manager_free(Manager *manager) {
        assert(manager);

        if (manager->dnstls_data.ctx)
                SSL_CTX_free(manager->dnstls_data.ctx);
}
Commit	Line	Data
096cbdce IT	1	/* SPDX-License-Identifier: LGPL-2.1+ */
	2
	3	#if !ENABLE_DNS_OVER_TLS \|\| !DNS_OVER_TLS_USE_OPENSSL
	4	#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
	5	#endif
	6
096cbdce IT	7	#include <openssl/bio.h>
096cbdce IT	8	#include <openssl/err.h>
eec394f1	9	#include <openssl/x509v3.h>
096cbdce	10
29e719ce	11	#include "io-util.h"
72938b93 YW	12	#include "resolved-dns-stream.h"
72938b93 YW	13	#include "resolved-dnstls.h"
d402edb7	14	#include "resolved-manager.h"
72938b93	15
096cbdce IT	16	DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
	17	DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
	18
04c4d919 IT	19	static int dnstls_flush_write_buffer(DnsStream *stream) {
	20	ssize_t ss;
	21
	22	assert(stream);
	23	assert(stream->encrypted);
	24
ab8cd6c9	25	if (stream->dnstls_data.buffer_offset < stream->dnstls_data.write_buffer->length) {
04c4d919 IT	26	assert(stream->dnstls_data.write_buffer->data);
	27
	28	struct iovec iov[1];
ab8cd6c9 IT	29	iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data + stream->dnstls_data.buffer_offset,
ab8cd6c9 IT	30	stream->dnstls_data.write_buffer->length - stream->dnstls_data.buffer_offset);
04c4d919 IT	31	ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
	32	if (ss < 0) {
	33	if (ss == -EAGAIN)
	34	stream->dnstls_events \|= EPOLLOUT;
	35
	36	return ss;
	37	} else {
ab8cd6c9	38	stream->dnstls_data.buffer_offset += ss;
04c4d919	39
ab8cd6c9	40	if (stream->dnstls_data.buffer_offset < stream->dnstls_data.write_buffer->length) {
04c4d919 IT	41	stream->dnstls_events \|= EPOLLOUT;
04c4d919 IT	42	return -EAGAIN;
ab8cd6c9 IT	43	} else {
	44	BIO_reset(SSL_get_wbio(stream->dnstls_data.ssl));
	45	stream->dnstls_data.buffer_offset = 0;
04c4d919 IT	46	}
	47	}
	48	}
	49
	50	return 0;
	51	}
	52
096cbdce	53	int dnstls_stream_connect_tls(DnsStream stream, DnsServer server) {
36f1946c	54	_cleanup_(BIO_freep) BIO rb = NULL, wb = NULL;
096cbdce	55	_cleanup_(SSL_freep) SSL *s = NULL;
36f1946c	56	int error, r;
096cbdce IT	57
096cbdce IT	58	assert(stream);
e22c5b20	59	assert(stream->manager);
096cbdce IT	60	assert(server);
096cbdce IT	61
04c4d919 IT	62	rb = BIO_new_socket(stream->fd, 0);
	63	if (!rb)
	64	return -ENOMEM;
	65
	66	wb = BIO_new(BIO_s_mem());
	67	if (!wb)
096cbdce IT	68	return -ENOMEM;
096cbdce IT	69
04c4d919	70	BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
ab8cd6c9	71	stream->dnstls_data.buffer_offset = 0;
04c4d919	72
e22c5b20	73	s = SSL_new(stream->manager->dnstls_data.ctx);
096cbdce IT	74	if (!s)
	75	return -ENOMEM;
	76
	77	SSL_set_connect_state(s);
df70539f YW	78	r = SSL_set_session(s, server->dnstls_data.session);
	79	if (r == 0)
	80	return -EIO;
04c4d919 IT	81	SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
04c4d919 IT	82
4310bfc2 IT	83	if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
4310bfc2 IT	84	X509_VERIFY_PARAM *v;
4310bfc2 IT	85
	86	SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
	87	v = SSL_get0_param(s);
eec394f1 JT	88	if (server->server_name) {
	89	X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
	90	if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
	91	return -ECONNREFUSED;
	92	} else {
	93	const unsigned char *ip;
	94	ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
	95	if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
	96	return -ECONNREFUSED;
	97	}
4310bfc2 IT	98	}
4310bfc2 IT	99
2e22a54f GL	100	if (server->server_name) {
	101	r = SSL_set_tlsext_host_name(s, server->server_name);
	102	if (r <= 0) {
	103	char errbuf[256];
	104
	105	error = ERR_get_error();
	106	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	107	return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", errbuf);
	108	}
	109	}
	110
59c3fee2	111	ERR_clear_error();
04c4d919 IT	112	stream->dnstls_data.handshake = SSL_do_handshake(s);
	113	if (stream->dnstls_data.handshake <= 0) {
	114	error = SSL_get_error(s, stream->dnstls_data.handshake);
	115	if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	116	char errbuf[256];
096cbdce	117
04c4d919	118	ERR_error_string_n(error, errbuf, sizeof(errbuf));
df70539f YW	119	return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
df70539f YW	120	"Failed to invoke SSL_do_handshake: %s", errbuf);
04c4d919 IT	121	}
04c4d919 IT	122	}
096cbdce IT	123
096cbdce IT	124	stream->encrypted = true;
ab8cd6c9	125	stream->dnstls_data.ssl = TAKE_PTR(s);
04c4d919 IT	126
04c4d919 IT	127	r = dnstls_flush_write_buffer(stream);
ab8cd6c9 IT	128	if (r < 0 && r != -EAGAIN) {
ab8cd6c9 IT	129	SSL_free(TAKE_PTR(stream->dnstls_data.ssl));
04c4d919	130	return r;
ab8cd6c9	131	}
096cbdce IT	132
	133	return 0;
	134	}
	135
	136	void dnstls_stream_free(DnsStream *stream) {
	137	assert(stream);
	138	assert(stream->encrypted);
	139
	140	if (stream->dnstls_data.ssl)
	141	SSL_free(stream->dnstls_data.ssl);
	142	}
	143
04c4d919	144	int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
36f1946c	145	int error, r;
096cbdce IT	146
	147	assert(stream);
	148	assert(stream->encrypted);
	149	assert(stream->dnstls_data.ssl);
	150
36f1946c	151	/* Flush write buffer when requested by OpenSSL */
04c4d919 IT	152	if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
	153	r = dnstls_flush_write_buffer(stream);
	154	if (r < 0)
	155	return r;
	156	}
	157
096cbdce	158	if (stream->dnstls_data.shutdown) {
59c3fee2	159	ERR_clear_error();
096cbdce	160	r = SSL_shutdown(stream->dnstls_data.ssl);
8eadd291 YW	161	if (r == 0) {
	162	stream->dnstls_events = 0;
	163
	164	r = dnstls_flush_write_buffer(stream);
	165	if (r < 0)
	166	return r;
	167
	168	return -EAGAIN;
	169	} else if (r < 0) {
096cbdce	170	error = SSL_get_error(stream->dnstls_data.ssl, r);
8eadd291 YW	171	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
8eadd291 YW	172	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	173
	174	r = dnstls_flush_write_buffer(stream);
	175	if (r < 0)
	176	return r;
	177
096cbdce	178	return -EAGAIN;
8eadd291 YW	179	} else if (error == SSL_ERROR_SYSCALL) {
	180	if (errno > 0)
	181	log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
096cbdce IT	182	} else {
	183	char errbuf[256];
	184
	185	ERR_error_string_n(error, errbuf, sizeof(errbuf));
8eadd291	186	log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
096cbdce IT	187	}
	188	}
	189
8eadd291 YW	190	stream->dnstls_events = 0;
	191	stream->dnstls_data.shutdown = false;
	192
04c4d919 IT	193	r = dnstls_flush_write_buffer(stream);
	194	if (r < 0)
	195	return r;
	196
096cbdce IT	197	dns_stream_unref(stream);
	198	return DNSTLS_STREAM_CLOSED;
	199	} else if (stream->dnstls_data.handshake <= 0) {
59c3fee2	200	ERR_clear_error();
096cbdce IT	201	stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
	202	if (stream->dnstls_data.handshake <= 0) {
	203	error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
	204	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	205	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	206	r = dnstls_flush_write_buffer(stream);
	207	if (r < 0)
	208	return r;
	209
096cbdce IT	210	return -EAGAIN;
	211	} else {
	212	char errbuf[256];
	213
	214	ERR_error_string_n(error, errbuf, sizeof(errbuf));
baaa35ad ZJS	215	return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
	216	"Failed to invoke SSL_do_handshake: %s",
	217	errbuf);
096cbdce IT	218	}
	219	}
	220
	221	stream->dnstls_events = 0;
04c4d919 IT	222	r = dnstls_flush_write_buffer(stream);
	223	if (r < 0)
	224	return r;
096cbdce IT	225	}
	226
	227	return 0;
	228	}
	229
	230	int dnstls_stream_shutdown(DnsStream *stream, int error) {
36f1946c	231	int ssl_error, r;
096cbdce IT	232	SSL_SESSION *s;
	233
	234	assert(stream);
	235	assert(stream->encrypted);
	236	assert(stream->dnstls_data.ssl);
	237
04c4d919 IT	238	if (stream->server) {
	239	s = SSL_get1_session(stream->dnstls_data.ssl);
	240	if (s) {
	241	if (stream->server->dnstls_data.session)
	242	SSL_SESSION_free(stream->server->dnstls_data.session);
	243
	244	stream->server->dnstls_data.session = s;
	245	}
	246	}
	247
096cbdce	248	if (error == ETIMEDOUT) {
59c3fee2	249	ERR_clear_error();
096cbdce IT	250	r = SSL_shutdown(stream->dnstls_data.ssl);
	251	if (r == 0) {
	252	if (!stream->dnstls_data.shutdown) {
	253	stream->dnstls_data.shutdown = true;
	254	dns_stream_ref(stream);
	255	}
04c4d919	256
8eadd291 YW	257	stream->dnstls_events = 0;
8eadd291 YW	258
04c4d919 IT	259	r = dnstls_flush_write_buffer(stream);
	260	if (r < 0)
	261	return r;
	262
096cbdce IT	263	return -EAGAIN;
	264	} else if (r < 0) {
	265	ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
	266	if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	267	stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	268	r = dnstls_flush_write_buffer(stream);
	269	if (r < 0 && r != -EAGAIN)
	270	return r;
	271
096cbdce IT	272	if (!stream->dnstls_data.shutdown) {
	273	stream->dnstls_data.shutdown = true;
	274	dns_stream_ref(stream);
	275	}
	276	return -EAGAIN;
8eadd291 YW	277	} else if (ssl_error == SSL_ERROR_SYSCALL) {
	278	if (errno > 0)
	279	log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
096cbdce IT	280	} else {
	281	char errbuf[256];
	282
	283	ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
8eadd291	284	log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
096cbdce IT	285	}
096cbdce IT	286	}
04c4d919 IT	287
	288	stream->dnstls_events = 0;
	289	r = dnstls_flush_write_buffer(stream);
	290	if (r < 0)
	291	return r;
096cbdce IT	292	}
	293
	294	return 0;
	295	}
	296
	297	ssize_t dnstls_stream_write(DnsStream stream, const char buf, size_t count) {
36f1946c	298	int error, r;
096cbdce IT	299	ssize_t ss;
	300
	301	assert(stream);
	302	assert(stream->encrypted);
	303	assert(stream->dnstls_data.ssl);
	304	assert(buf);
	305
59c3fee2	306	ERR_clear_error();
096cbdce IT	307	ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
096cbdce IT	308	if (r <= 0) {
8e740110	309	error = SSL_get_error(stream->dnstls_data.ssl, r);
096cbdce IT	310	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	311	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
	312	ss = -EAGAIN;
8e740110 YW	313	} else if (error == SSL_ERROR_ZERO_RETURN) {
	314	stream->dnstls_events = 0;
	315	ss = 0;
096cbdce IT	316	} else {
	317	char errbuf[256];
	318
	319	ERR_error_string_n(error, errbuf, sizeof(errbuf));
36f1946c	320	log_debug("Failed to invoke SSL_write: %s", errbuf);
8e740110	321	stream->dnstls_events = 0;
096cbdce IT	322	ss = -EPIPE;
096cbdce IT	323	}
8e740110 YW	324	} else
8e740110 YW	325	stream->dnstls_events = 0;
096cbdce	326
04c4d919 IT	327	r = dnstls_flush_write_buffer(stream);
	328	if (r < 0)
	329	return r;
	330
096cbdce IT	331	return ss;
	332	}
	333
	334	ssize_t dnstls_stream_read(DnsStream stream, void buf, size_t count) {
36f1946c	335	int error, r;
096cbdce IT	336	ssize_t ss;
	337
	338	assert(stream);
	339	assert(stream->encrypted);
	340	assert(stream->dnstls_data.ssl);
	341	assert(buf);
	342
59c3fee2	343	ERR_clear_error();
096cbdce IT	344	ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
096cbdce IT	345	if (r <= 0) {
8e740110	346	error = SSL_get_error(stream->dnstls_data.ssl, r);
096cbdce IT	347	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	348	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
	349	ss = -EAGAIN;
8e740110 YW	350	} else if (error == SSL_ERROR_ZERO_RETURN) {
	351	stream->dnstls_events = 0;
	352	ss = 0;
096cbdce IT	353	} else {
	354	char errbuf[256];
	355
	356	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	357	log_debug("Failed to invoke SSL_read: %s", errbuf);
8e740110	358	stream->dnstls_events = 0;
096cbdce IT	359	ss = -EPIPE;
096cbdce IT	360	}
8e740110 YW	361	} else
8e740110 YW	362	stream->dnstls_events = 0;
04c4d919 IT	363
	364	/* flush write buffer in cache of renegotiation */
	365	r = dnstls_flush_write_buffer(stream);
	366	if (r < 0)
	367	return r;
	368
096cbdce IT	369	return ss;
	370	}
	371
e22c5b20	372	void dnstls_server_free(DnsServer *server) {
096cbdce IT	373	assert(server);
096cbdce IT	374
e22c5b20 IT	375	if (server->dnstls_data.session)
e22c5b20 IT	376	SSL_SESSION_free(server->dnstls_data.session);
096cbdce IT	377	}
096cbdce IT	378
71a681ae	379	int dnstls_manager_init(Manager *manager) {
e22c5b20	380	int r;
df70539f	381
e22c5b20	382	assert(manager);
096cbdce	383
e22c5b20 IT	384	ERR_load_crypto_strings();
e22c5b20 IT	385	SSL_load_error_strings();
71a681ae	386
df70539f	387	manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
71a681ae IT	388	if (!manager->dnstls_data.ctx)
	389	return -ENOMEM;
	390
df70539f YW	391	r = SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION);
	392	if (r == 0)
	393	return -EIO;
	394
	395	(void) SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
	396
4310bfc2	397	r = SSL_CTX_set_default_verify_paths(manager->dnstls_data.ctx);
df70539f YW	398	if (r == 0)
	399	return log_warning_errno(SYNTHETIC_ERRNO(EIO),
	400	"Failed to load system trust store: %s",
	401	ERR_error_string(ERR_get_error(), NULL));
71a681ae IT	402
71a681ae IT	403	return 0;
e22c5b20	404	}
04c4d919	405
e22c5b20 IT	406	void dnstls_manager_free(Manager *manager) {
	407	assert(manager);
	408
	409	if (manager->dnstls_data.ctx)
	410	SSL_CTX_free(manager->dnstls_data.ctx);
096cbdce	411	}