]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
6016fcb0 | 2 | |
096cbdce | 3 | #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS |
6016fcb0 IT |
4 | #error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available. |
5 | #endif | |
6 | ||
6016fcb0 IT |
7 | #include <gnutls/socket.h> |
8 | ||
72938b93 YW |
9 | #include "resolved-dns-stream.h" |
10 | #include "resolved-dnstls.h" | |
be28f72d | 11 | #include "resolved-manager.h" |
72938b93 | 12 | |
7f95bb22 | 13 | #define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" |
fd421c4a | 14 | DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gnutls_session_t, gnutls_deinit, NULL); |
6016fcb0 IT |
15 | |
16 | static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) { | |
17 | int r; | |
18 | ||
19 | assert(p); | |
20 | ||
21 | r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA); | |
22 | if (r < 0) { | |
23 | errno = -r; | |
24 | return -1; | |
25 | } | |
26 | ||
27 | return r; | |
28 | } | |
29 | ||
30 | int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { | |
b9c54c46 | 31 | _cleanup_(gnutls_deinitp) gnutls_session_t gs = NULL; |
6016fcb0 IT |
32 | int r; |
33 | ||
34 | assert(stream); | |
35 | assert(server); | |
36 | ||
37 | r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); | |
38 | if (r < 0) | |
39 | return r; | |
40 | ||
41 | /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ | |
7f95bb22 | 42 | r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL); |
6016fcb0 IT |
43 | if (r < 0) |
44 | return r; | |
45 | ||
e22c5b20 | 46 | r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred); |
6016fcb0 IT |
47 | if (r < 0) |
48 | return r; | |
49 | ||
50 | if (server->dnstls_data.session_data.size > 0) { | |
51 | gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size); | |
52 | ||
53 | // Clear old session ticket | |
54 | gnutls_free(server->dnstls_data.session_data.data); | |
55 | server->dnstls_data.session_data.data = NULL; | |
56 | server->dnstls_data.session_data.size = 0; | |
57 | } | |
58 | ||
7f2f4fac | 59 | if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { |
eec394f1 JT |
60 | if (server->server_name) |
61 | gnutls_session_set_verify_cert(gs, server->server_name, 0); | |
62 | else { | |
63 | stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS; | |
64 | if (server->family == AF_INET) { | |
65 | stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr; | |
66 | stream->dnstls_data.validation.size = 4; | |
67 | } else { | |
68 | stream->dnstls_data.validation.data = server->address.in6.s6_addr; | |
69 | stream->dnstls_data.validation.size = 16; | |
70 | } | |
71 | gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0); | |
7f2f4fac | 72 | } |
7f2f4fac | 73 | } |
4310bfc2 | 74 | |
2e22a54f GL |
75 | if (server->server_name) { |
76 | r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name)); | |
77 | if (r < 0) | |
78 | return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r)); | |
79 | } | |
80 | ||
6016fcb0 IT |
81 | gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); |
82 | ||
83 | gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream); | |
84 | gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev); | |
85 | ||
86 | stream->encrypted = true; | |
87 | stream->dnstls_data.handshake = gnutls_handshake(gs); | |
88 | if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake)) | |
89 | return -ECONNREFUSED; | |
90 | ||
91 | stream->dnstls_data.session = TAKE_PTR(gs); | |
92 | ||
93 | return 0; | |
94 | } | |
95 | ||
96 | void dnstls_stream_free(DnsStream *stream) { | |
97 | assert(stream); | |
98 | assert(stream->encrypted); | |
99 | ||
100 | if (stream->dnstls_data.session) | |
101 | gnutls_deinit(stream->dnstls_data.session); | |
102 | } | |
103 | ||
04c4d919 | 104 | int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { |
6016fcb0 IT |
105 | int r; |
106 | ||
107 | assert(stream); | |
108 | assert(stream->encrypted); | |
109 | assert(stream->dnstls_data.session); | |
110 | ||
111 | if (stream->dnstls_data.shutdown) { | |
112 | r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); | |
ba6aaf57 IT |
113 | if (r == GNUTLS_E_AGAIN) { |
114 | stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; | |
6016fcb0 | 115 | return -EAGAIN; |
ba6aaf57 | 116 | } else if (r < 0) |
6016fcb0 IT |
117 | log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); |
118 | ||
ba6aaf57 | 119 | stream->dnstls_events = 0; |
6016fcb0 IT |
120 | stream->dnstls_data.shutdown = false; |
121 | dns_stream_unref(stream); | |
122 | return DNSTLS_STREAM_CLOSED; | |
123 | } else if (stream->dnstls_data.handshake < 0) { | |
124 | stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session); | |
ba6aaf57 IT |
125 | if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) { |
126 | stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; | |
6016fcb0 | 127 | return -EAGAIN; |
ba6aaf57 | 128 | } else if (stream->dnstls_data.handshake < 0) { |
6016fcb0 IT |
129 | log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake)); |
130 | if (gnutls_error_is_fatal(stream->dnstls_data.handshake)) | |
131 | return -ECONNREFUSED; | |
132 | } | |
ba6aaf57 IT |
133 | |
134 | stream->dnstls_events = 0; | |
6016fcb0 IT |
135 | } |
136 | ||
137 | return 0; | |
138 | } | |
139 | ||
140 | int dnstls_stream_shutdown(DnsStream *stream, int error) { | |
141 | int r; | |
142 | ||
143 | assert(stream); | |
144 | assert(stream->encrypted); | |
145 | assert(stream->dnstls_data.session); | |
146 | ||
5238e957 | 147 | /* Store TLS Ticket for faster successive TLS handshakes */ |
6016fcb0 IT |
148 | if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS) |
149 | gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data); | |
150 | ||
151 | if (IN_SET(error, ETIMEDOUT, 0)) { | |
152 | r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); | |
153 | if (r == GNUTLS_E_AGAIN) { | |
154 | if (!stream->dnstls_data.shutdown) { | |
155 | stream->dnstls_data.shutdown = true; | |
156 | dns_stream_ref(stream); | |
157 | return -EAGAIN; | |
158 | } | |
159 | } else if (r < 0) | |
160 | log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); | |
161 | } | |
162 | ||
163 | return 0; | |
164 | } | |
165 | ||
166 | ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) { | |
167 | ssize_t ss; | |
168 | ||
169 | assert(stream); | |
170 | assert(stream->encrypted); | |
171 | assert(stream->dnstls_data.session); | |
172 | assert(buf); | |
173 | ||
174 | ss = gnutls_record_send(stream->dnstls_data.session, buf, count); | |
175 | if (ss < 0) | |
176 | switch(ss) { | |
177 | case GNUTLS_E_INTERRUPTED: | |
178 | return -EINTR; | |
179 | case GNUTLS_E_AGAIN: | |
180 | return -EAGAIN; | |
181 | default: | |
baaa35ad ZJS |
182 | return log_debug_errno(SYNTHETIC_ERRNO(EPIPE), |
183 | "Failed to invoke gnutls_record_send: %s", | |
184 | gnutls_strerror(ss)); | |
6016fcb0 IT |
185 | } |
186 | ||
187 | return ss; | |
188 | } | |
189 | ||
190 | ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { | |
191 | ssize_t ss; | |
192 | ||
193 | assert(stream); | |
194 | assert(stream->encrypted); | |
195 | assert(stream->dnstls_data.session); | |
196 | assert(buf); | |
197 | ||
198 | ss = gnutls_record_recv(stream->dnstls_data.session, buf, count); | |
199 | if (ss < 0) | |
200 | switch(ss) { | |
201 | case GNUTLS_E_INTERRUPTED: | |
202 | return -EINTR; | |
203 | case GNUTLS_E_AGAIN: | |
204 | return -EAGAIN; | |
205 | default: | |
baaa35ad ZJS |
206 | return log_debug_errno(SYNTHETIC_ERRNO(EPIPE), |
207 | "Failed to invoke gnutls_record_recv: %s", | |
208 | gnutls_strerror(ss)); | |
6016fcb0 IT |
209 | } |
210 | ||
211 | return ss; | |
212 | } | |
213 | ||
2aaf6bb6 JB |
214 | bool dnstls_stream_has_buffered_data(DnsStream *stream) { |
215 | assert(stream); | |
216 | assert(stream->encrypted); | |
217 | assert(stream->dnstls_data.session); | |
218 | ||
219 | return gnutls_record_check_pending(stream->dnstls_data.session) > 0; | |
220 | } | |
221 | ||
e22c5b20 | 222 | void dnstls_server_free(DnsServer *server) { |
6016fcb0 IT |
223 | assert(server); |
224 | ||
e22c5b20 IT |
225 | if (server->dnstls_data.session_data.data) |
226 | gnutls_free(server->dnstls_data.session_data.data); | |
6016fcb0 IT |
227 | } |
228 | ||
71a681ae | 229 | int dnstls_manager_init(Manager *manager) { |
e22c5b20 IT |
230 | int r; |
231 | assert(manager); | |
6016fcb0 | 232 | |
71a681ae | 233 | r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred); |
e22c5b20 | 234 | if (r < 0) |
71a681ae IT |
235 | return -ENOMEM; |
236 | ||
4310bfc2 IT |
237 | r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred); |
238 | if (r < 0) | |
239 | log_warning("Failed to load system trust store: %s", gnutls_strerror(r)); | |
240 | ||
71a681ae | 241 | return 0; |
e22c5b20 | 242 | } |
6016fcb0 | 243 | |
e22c5b20 IT |
244 | void dnstls_manager_free(Manager *manager) { |
245 | assert(manager); | |
246 | ||
247 | if (manager->dnstls_data.cert_cred) | |
248 | gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred); | |
6016fcb0 | 249 | } |