Instead of having a context and/or trusted CA list per server this is now moved to the server. Ensures future TLS configuration options are global instead of per server.
s->linked = true;
-#if ENABLE_DNS_OVER_TLS
- dnstls_server_init(s);
-#endif
-
/* A new DNS server that isn't fallback is added and the one
* we used so far was a fallback one? Then let's try to pick
* the new one */
if (r < 0)
return r;
- r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, server->dnstls_data.cert_cred);
+ r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
if (r < 0)
return r;
return ss;
}
-void dnstls_server_init(DnsServer *server) {
+void dnstls_server_free(DnsServer *server) {
assert(server);
- /* Do not verify cerificate */
- gnutls_certificate_allocate_credentials(&server->dnstls_data.cert_cred);
+ if (server->dnstls_data.session_data.data)
+ gnutls_free(server->dnstls_data.session_data.data);
}
-void dnstls_server_free(DnsServer *server) {
- assert(server);
+void dnstls_manager_init(Manager *manager) {
+ int r;
+ assert(manager);
- if (server->dnstls_data.cert_cred)
- gnutls_certificate_free_credentials(server->dnstls_data.cert_cred);
+ gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
+ r = gnutls_certificate_set_x509_trust_file(manager->dnstls_data.cert_cred, manager->trusted_certificate_file, GNUTLS_X509_FMT_PEM);
+ if (r < 0)
+ log_error("Failed to load trusted certificate file %s: %s", manager->trusted_certificate_file, gnutls_strerror(r));
+}
- if (server->dnstls_data.session_data.data)
- gnutls_free(server->dnstls_data.session_data.data);
+void dnstls_manager_free(Manager *manager) {
+ assert(manager);
+
+ if (manager->dnstls_data.cert_cred)
+ gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
}
#include <gnutls/gnutls.h>
#include <stdbool.h>
-struct DnsTlsServerData {
+struct DnsTlsManagerData {
gnutls_certificate_credentials_t cert_cred;
+};
+
+struct DnsTlsServerData {
gnutls_datum_t session_data;
};
int error, r;
assert(stream);
+ assert(stream->manager);
assert(server);
rb = BIO_new_socket(stream->fd, 0);
BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
stream->dnstls_data.buffer_offset = 0;
- s = SSL_new(server->dnstls_data.ctx);
+ s = SSL_new(stream->manager->dnstls_data.ctx);
if (!s)
return -ENOMEM;
return ss;
}
-void dnstls_server_init(DnsServer *server) {
+void dnstls_server_free(DnsServer *server) {
assert(server);
- server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
- if (server->dnstls_data.ctx) {
- SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
- SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
- }
+ if (server->dnstls_data.session)
+ SSL_SESSION_free(server->dnstls_data.session);
}
-void dnstls_server_free(DnsServer *server) {
- assert(server);
+void dnstls_manager_init(Manager *manager) {
+ int r;
+ assert(manager);
- if (server->dnstls_data.ctx)
- SSL_CTX_free(server->dnstls_data.ctx);
+ ERR_load_crypto_strings();
+ SSL_load_error_strings();
+ manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
+ if (manager->dnstls_data.ctx) {
+ SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION);
+ SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
+ }
+}
- if (server->dnstls_data.session)
- SSL_SESSION_free(server->dnstls_data.session);
+void dnstls_manager_free(Manager *manager) {
+ assert(manager);
+
+ if (manager->dnstls_data.ctx)
+ SSL_CTX_free(manager->dnstls_data.ctx);
}
#include <openssl/ssl.h>
#include <stdbool.h>
-struct DnsTlsServerData {
+struct DnsTlsManagerData {
SSL_CTX *ctx;
+};
+
+struct DnsTlsServerData {
SSL_SESSION *session;
};
#error This source file requires DNS-over-TLS to be enabled
#endif
+typedef struct DnsTlsManagerData DnsTlsManagerData;
typedef struct DnsTlsServerData DnsTlsServerData;
typedef struct DnsTlsStreamData DnsTlsStreamData;
ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count);
ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count);
-void dnstls_server_init(DnsServer *server);
void dnstls_server_free(DnsServer *server);
+
+void dnstls_manager_init(Manager *manager);
+void dnstls_manager_free(Manager *manager);
if (r < 0)
log_warning_errno(r, "Failed to parse configuration file: %m");
+#if ENABLE_DNS_OVER_TLS
+ dnstls_manager_init(m);
+#endif
+
r = sd_event_default(&m->event);
if (r < 0)
return r;
while (m->dns_streams)
dns_stream_unref(m->dns_streams);
+#if ENABLE_DNS_OVER_TLS
+ dnstls_manager_free(m);
+#endif
+
hashmap_free(m->links);
hashmap_free(m->dns_transactions);
#include "resolved-dns-server.h"
#include "resolved-dns-stream.h"
#include "resolved-dns-trust-anchor.h"
+#include "resolved-dnstls.h"
#include "resolved-link.h"
#define MANAGER_SEARCH_DOMAINS_MAX 256
bool enable_cache;
DnsStubListenerMode dns_stub_listener_mode;
+#if ENABLE_DNS_OVER_TLS
+ DnsTlsManagerData dnstls_data;
+#endif
+
/* Network */
Hashmap *links;