]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dnstls-gnutls.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #15504 from poettering/cmsg-find-pure
[thirdparty/systemd.git] / src / resolve / resolved-dnstls-gnutls.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS
4 #error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
5 #endif
6
7 #include <gnutls/socket.h>
8
9 #include "resolved-dns-stream.h"
10 #include "resolved-dnstls.h"
11
12 #define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
13 DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
14
15 static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
16 int r;
17
18 assert(p);
19
20 r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
21 if (r < 0) {
22 errno = -r;
23 return -1;
24 }
25
26 return r;
27 }
28
29 int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
30 _cleanup_(gnutls_deinitp) gnutls_session_t gs;
31 int r;
32
33 assert(stream);
34 assert(server);
35
36 r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
37 if (r < 0)
38 return r;
39
40 /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
41 r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL);
42 if (r < 0)
43 return r;
44
45 r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
46 if (r < 0)
47 return r;
48
49 if (server->dnstls_data.session_data.size > 0) {
50 gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);
51
52 // Clear old session ticket
53 gnutls_free(server->dnstls_data.session_data.data);
54 server->dnstls_data.session_data.data = NULL;
55 server->dnstls_data.session_data.size = 0;
56 }
57
58 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
59 if (server->server_name)
60 gnutls_session_set_verify_cert(gs, server->server_name, 0);
61 else {
62 stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
63 if (server->family == AF_INET) {
64 stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
65 stream->dnstls_data.validation.size = 4;
66 } else {
67 stream->dnstls_data.validation.data = server->address.in6.s6_addr;
68 stream->dnstls_data.validation.size = 16;
69 }
70 gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
71 }
72 }
73
74 if (server->server_name) {
75 r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name));
76 if (r < 0)
77 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r));
78 }
79
80 gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
81
82 gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
83 gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev);
84
85 stream->encrypted = true;
86 stream->dnstls_data.handshake = gnutls_handshake(gs);
87 if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
88 return -ECONNREFUSED;
89
90 stream->dnstls_data.session = TAKE_PTR(gs);
91
92 return 0;
93 }
94
95 void dnstls_stream_free(DnsStream *stream) {
96 assert(stream);
97 assert(stream->encrypted);
98
99 if (stream->dnstls_data.session)
100 gnutls_deinit(stream->dnstls_data.session);
101 }
102
103 int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
104 int r;
105
106 assert(stream);
107 assert(stream->encrypted);
108 assert(stream->dnstls_data.session);
109
110 if (stream->dnstls_data.shutdown) {
111 r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
112 if (r == GNUTLS_E_AGAIN) {
113 stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
114 return -EAGAIN;
115 } else if (r < 0)
116 log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
117
118 stream->dnstls_events = 0;
119 stream->dnstls_data.shutdown = false;
120 dns_stream_unref(stream);
121 return DNSTLS_STREAM_CLOSED;
122 } else if (stream->dnstls_data.handshake < 0) {
123 stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
124 if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) {
125 stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
126 return -EAGAIN;
127 } else if (stream->dnstls_data.handshake < 0) {
128 log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
129 if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
130 return -ECONNREFUSED;
131 }
132
133 stream->dnstls_events = 0;
134 }
135
136 return 0;
137 }
138
139 int dnstls_stream_shutdown(DnsStream *stream, int error) {
140 int r;
141
142 assert(stream);
143 assert(stream->encrypted);
144 assert(stream->dnstls_data.session);
145
146 /* Store TLS Ticket for faster successive TLS handshakes */
147 if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
148 gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);
149
150 if (IN_SET(error, ETIMEDOUT, 0)) {
151 r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
152 if (r == GNUTLS_E_AGAIN) {
153 if (!stream->dnstls_data.shutdown) {
154 stream->dnstls_data.shutdown = true;
155 dns_stream_ref(stream);
156 return -EAGAIN;
157 }
158 } else if (r < 0)
159 log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
160 }
161
162 return 0;
163 }
164
165 ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
166 ssize_t ss;
167
168 assert(stream);
169 assert(stream->encrypted);
170 assert(stream->dnstls_data.session);
171 assert(buf);
172
173 ss = gnutls_record_send(stream->dnstls_data.session, buf, count);
174 if (ss < 0)
175 switch(ss) {
176 case GNUTLS_E_INTERRUPTED:
177 return -EINTR;
178 case GNUTLS_E_AGAIN:
179 return -EAGAIN;
180 default:
181 return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
182 "Failed to invoke gnutls_record_send: %s",
183 gnutls_strerror(ss));
184 }
185
186 return ss;
187 }
188
189 ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
190 ssize_t ss;
191
192 assert(stream);
193 assert(stream->encrypted);
194 assert(stream->dnstls_data.session);
195 assert(buf);
196
197 ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
198 if (ss < 0)
199 switch(ss) {
200 case GNUTLS_E_INTERRUPTED:
201 return -EINTR;
202 case GNUTLS_E_AGAIN:
203 return -EAGAIN;
204 default:
205 return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
206 "Failed to invoke gnutls_record_recv: %s",
207 gnutls_strerror(ss));
208 }
209
210 return ss;
211 }
212
213 void dnstls_server_free(DnsServer *server) {
214 assert(server);
215
216 if (server->dnstls_data.session_data.data)
217 gnutls_free(server->dnstls_data.session_data.data);
218 }
219
220 int dnstls_manager_init(Manager *manager) {
221 int r;
222 assert(manager);
223
224 r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
225 if (r < 0)
226 return -ENOMEM;
227
228 r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
229 if (r < 0)
230 log_warning("Failed to load system trust store: %s", gnutls_strerror(r));
231
232 return 0;
233 }
234
235 void dnstls_manager_free(Manager *manager) {
236 assert(manager);
237
238 if (manager->dnstls_data.cert_cred)
239 gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
240 }
Unnamed repository; edit this file 'description' to name the repository.