]>
Commit | Line | Data |
---|---|---|
096cbdce IT |
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | ||
3 | #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL | |
4 | #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available. | |
5 | #endif | |
6 | ||
096cbdce IT |
7 | #include <openssl/bio.h> |
8 | #include <openssl/err.h> | |
18bddeaa | 9 | #include <string.h> |
096cbdce | 10 | |
29e719ce | 11 | #include "io-util.h" |
72938b93 YW |
12 | #include "resolved-dns-stream.h" |
13 | #include "resolved-dnstls.h" | |
14 | ||
096cbdce IT |
15 | DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free); |
16 | DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free); | |
17 | ||
04c4d919 IT |
18 | static int dnstls_flush_write_buffer(DnsStream *stream) { |
19 | ssize_t ss; | |
20 | ||
21 | assert(stream); | |
22 | assert(stream->encrypted); | |
23 | ||
24 | if (stream->dnstls_data.write_buffer->length > 0) { | |
25 | assert(stream->dnstls_data.write_buffer->data); | |
26 | ||
27 | struct iovec iov[1]; | |
5cfa2c3d LP |
28 | iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data, |
29 | stream->dnstls_data.write_buffer->length); | |
04c4d919 IT |
30 | ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA); |
31 | if (ss < 0) { | |
32 | if (ss == -EAGAIN) | |
33 | stream->dnstls_events |= EPOLLOUT; | |
34 | ||
35 | return ss; | |
36 | } else { | |
37 | stream->dnstls_data.write_buffer->length -= ss; | |
04c4d919 IT |
38 | |
39 | if (stream->dnstls_data.write_buffer->length > 0) { | |
18bddeaa TM |
40 | memmove(stream->dnstls_data.write_buffer->data, |
41 | stream->dnstls_data.write_buffer->data + ss, | |
42 | stream->dnstls_data.write_buffer->length); | |
04c4d919 IT |
43 | stream->dnstls_events |= EPOLLOUT; |
44 | return -EAGAIN; | |
45 | } | |
46 | } | |
47 | } | |
48 | ||
49 | return 0; | |
50 | } | |
51 | ||
096cbdce | 52 | int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { |
36f1946c | 53 | _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL; |
096cbdce | 54 | _cleanup_(SSL_freep) SSL *s = NULL; |
36f1946c | 55 | int error, r; |
096cbdce IT |
56 | |
57 | assert(stream); | |
58 | assert(server); | |
59 | ||
04c4d919 IT |
60 | rb = BIO_new_socket(stream->fd, 0); |
61 | if (!rb) | |
62 | return -ENOMEM; | |
63 | ||
64 | wb = BIO_new(BIO_s_mem()); | |
65 | if (!wb) | |
096cbdce IT |
66 | return -ENOMEM; |
67 | ||
04c4d919 IT |
68 | BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer); |
69 | ||
096cbdce IT |
70 | s = SSL_new(server->dnstls_data.ctx); |
71 | if (!s) | |
72 | return -ENOMEM; | |
73 | ||
74 | SSL_set_connect_state(s); | |
04c4d919 IT |
75 | SSL_set_session(s, server->dnstls_data.session); |
76 | SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb)); | |
77 | ||
59c3fee2 | 78 | ERR_clear_error(); |
04c4d919 IT |
79 | stream->dnstls_data.handshake = SSL_do_handshake(s); |
80 | if (stream->dnstls_data.handshake <= 0) { | |
81 | error = SSL_get_error(s, stream->dnstls_data.handshake); | |
82 | if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
83 | char errbuf[256]; | |
096cbdce | 84 | |
04c4d919 IT |
85 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); |
86 | log_debug("Failed to invoke SSL_do_handshake: %s", errbuf); | |
87 | return -ECONNREFUSED; | |
88 | } | |
89 | } | |
096cbdce IT |
90 | |
91 | stream->encrypted = true; | |
04c4d919 IT |
92 | |
93 | r = dnstls_flush_write_buffer(stream); | |
94 | if (r < 0 && r != -EAGAIN) | |
95 | return r; | |
96 | ||
096cbdce IT |
97 | stream->dnstls_data.ssl = TAKE_PTR(s); |
98 | ||
99 | return 0; | |
100 | } | |
101 | ||
102 | void dnstls_stream_free(DnsStream *stream) { | |
103 | assert(stream); | |
104 | assert(stream->encrypted); | |
105 | ||
106 | if (stream->dnstls_data.ssl) | |
107 | SSL_free(stream->dnstls_data.ssl); | |
108 | } | |
109 | ||
04c4d919 | 110 | int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { |
36f1946c | 111 | int error, r; |
096cbdce IT |
112 | |
113 | assert(stream); | |
114 | assert(stream->encrypted); | |
115 | assert(stream->dnstls_data.ssl); | |
116 | ||
36f1946c | 117 | /* Flush write buffer when requested by OpenSSL */ |
04c4d919 IT |
118 | if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) { |
119 | r = dnstls_flush_write_buffer(stream); | |
120 | if (r < 0) | |
121 | return r; | |
122 | } | |
123 | ||
096cbdce | 124 | if (stream->dnstls_data.shutdown) { |
59c3fee2 | 125 | ERR_clear_error(); |
096cbdce | 126 | r = SSL_shutdown(stream->dnstls_data.ssl); |
8eadd291 YW |
127 | if (r == 0) { |
128 | stream->dnstls_events = 0; | |
129 | ||
130 | r = dnstls_flush_write_buffer(stream); | |
131 | if (r < 0) | |
132 | return r; | |
133 | ||
134 | return -EAGAIN; | |
135 | } else if (r < 0) { | |
096cbdce | 136 | error = SSL_get_error(stream->dnstls_data.ssl, r); |
8eadd291 YW |
137 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { |
138 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
04c4d919 IT |
139 | |
140 | r = dnstls_flush_write_buffer(stream); | |
141 | if (r < 0) | |
142 | return r; | |
143 | ||
096cbdce | 144 | return -EAGAIN; |
8eadd291 YW |
145 | } else if (error == SSL_ERROR_SYSCALL) { |
146 | if (errno > 0) | |
147 | log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); | |
096cbdce IT |
148 | } else { |
149 | char errbuf[256]; | |
150 | ||
151 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
8eadd291 | 152 | log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); |
096cbdce IT |
153 | } |
154 | } | |
155 | ||
8eadd291 YW |
156 | stream->dnstls_events = 0; |
157 | stream->dnstls_data.shutdown = false; | |
158 | ||
04c4d919 IT |
159 | r = dnstls_flush_write_buffer(stream); |
160 | if (r < 0) | |
161 | return r; | |
162 | ||
096cbdce IT |
163 | dns_stream_unref(stream); |
164 | return DNSTLS_STREAM_CLOSED; | |
165 | } else if (stream->dnstls_data.handshake <= 0) { | |
59c3fee2 | 166 | ERR_clear_error(); |
096cbdce IT |
167 | stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl); |
168 | if (stream->dnstls_data.handshake <= 0) { | |
169 | error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake); | |
170 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
171 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
04c4d919 IT |
172 | r = dnstls_flush_write_buffer(stream); |
173 | if (r < 0) | |
174 | return r; | |
175 | ||
096cbdce IT |
176 | return -EAGAIN; |
177 | } else { | |
178 | char errbuf[256]; | |
179 | ||
180 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
baaa35ad ZJS |
181 | return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), |
182 | "Failed to invoke SSL_do_handshake: %s", | |
183 | errbuf); | |
096cbdce IT |
184 | } |
185 | } | |
186 | ||
187 | stream->dnstls_events = 0; | |
04c4d919 IT |
188 | r = dnstls_flush_write_buffer(stream); |
189 | if (r < 0) | |
190 | return r; | |
096cbdce IT |
191 | } |
192 | ||
193 | return 0; | |
194 | } | |
195 | ||
196 | int dnstls_stream_shutdown(DnsStream *stream, int error) { | |
36f1946c | 197 | int ssl_error, r; |
096cbdce IT |
198 | SSL_SESSION *s; |
199 | ||
200 | assert(stream); | |
201 | assert(stream->encrypted); | |
202 | assert(stream->dnstls_data.ssl); | |
203 | ||
04c4d919 IT |
204 | if (stream->server) { |
205 | s = SSL_get1_session(stream->dnstls_data.ssl); | |
206 | if (s) { | |
207 | if (stream->server->dnstls_data.session) | |
208 | SSL_SESSION_free(stream->server->dnstls_data.session); | |
209 | ||
210 | stream->server->dnstls_data.session = s; | |
211 | } | |
212 | } | |
213 | ||
096cbdce | 214 | if (error == ETIMEDOUT) { |
59c3fee2 | 215 | ERR_clear_error(); |
096cbdce IT |
216 | r = SSL_shutdown(stream->dnstls_data.ssl); |
217 | if (r == 0) { | |
218 | if (!stream->dnstls_data.shutdown) { | |
219 | stream->dnstls_data.shutdown = true; | |
220 | dns_stream_ref(stream); | |
221 | } | |
04c4d919 | 222 | |
8eadd291 YW |
223 | stream->dnstls_events = 0; |
224 | ||
04c4d919 IT |
225 | r = dnstls_flush_write_buffer(stream); |
226 | if (r < 0) | |
227 | return r; | |
228 | ||
096cbdce IT |
229 | return -EAGAIN; |
230 | } else if (r < 0) { | |
231 | ssl_error = SSL_get_error(stream->dnstls_data.ssl, r); | |
232 | if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
233 | stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
04c4d919 IT |
234 | r = dnstls_flush_write_buffer(stream); |
235 | if (r < 0 && r != -EAGAIN) | |
236 | return r; | |
237 | ||
096cbdce IT |
238 | if (!stream->dnstls_data.shutdown) { |
239 | stream->dnstls_data.shutdown = true; | |
240 | dns_stream_ref(stream); | |
241 | } | |
242 | return -EAGAIN; | |
8eadd291 YW |
243 | } else if (ssl_error == SSL_ERROR_SYSCALL) { |
244 | if (errno > 0) | |
245 | log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); | |
096cbdce IT |
246 | } else { |
247 | char errbuf[256]; | |
248 | ||
249 | ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf)); | |
8eadd291 | 250 | log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); |
096cbdce IT |
251 | } |
252 | } | |
04c4d919 IT |
253 | |
254 | stream->dnstls_events = 0; | |
255 | r = dnstls_flush_write_buffer(stream); | |
256 | if (r < 0) | |
257 | return r; | |
096cbdce IT |
258 | } |
259 | ||
260 | return 0; | |
261 | } | |
262 | ||
263 | ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) { | |
36f1946c | 264 | int error, r; |
096cbdce IT |
265 | ssize_t ss; |
266 | ||
267 | assert(stream); | |
268 | assert(stream->encrypted); | |
269 | assert(stream->dnstls_data.ssl); | |
270 | assert(buf); | |
271 | ||
59c3fee2 | 272 | ERR_clear_error(); |
096cbdce IT |
273 | ss = r = SSL_write(stream->dnstls_data.ssl, buf, count); |
274 | if (r <= 0) { | |
8e740110 | 275 | error = SSL_get_error(stream->dnstls_data.ssl, r); |
096cbdce IT |
276 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { |
277 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
278 | ss = -EAGAIN; | |
8e740110 YW |
279 | } else if (error == SSL_ERROR_ZERO_RETURN) { |
280 | stream->dnstls_events = 0; | |
281 | ss = 0; | |
096cbdce IT |
282 | } else { |
283 | char errbuf[256]; | |
284 | ||
285 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
36f1946c | 286 | log_debug("Failed to invoke SSL_write: %s", errbuf); |
8e740110 | 287 | stream->dnstls_events = 0; |
096cbdce IT |
288 | ss = -EPIPE; |
289 | } | |
8e740110 YW |
290 | } else |
291 | stream->dnstls_events = 0; | |
096cbdce | 292 | |
04c4d919 IT |
293 | r = dnstls_flush_write_buffer(stream); |
294 | if (r < 0) | |
295 | return r; | |
296 | ||
096cbdce IT |
297 | return ss; |
298 | } | |
299 | ||
300 | ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { | |
36f1946c | 301 | int error, r; |
096cbdce IT |
302 | ssize_t ss; |
303 | ||
304 | assert(stream); | |
305 | assert(stream->encrypted); | |
306 | assert(stream->dnstls_data.ssl); | |
307 | assert(buf); | |
308 | ||
59c3fee2 | 309 | ERR_clear_error(); |
096cbdce IT |
310 | ss = r = SSL_read(stream->dnstls_data.ssl, buf, count); |
311 | if (r <= 0) { | |
8e740110 | 312 | error = SSL_get_error(stream->dnstls_data.ssl, r); |
096cbdce IT |
313 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { |
314 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
315 | ss = -EAGAIN; | |
8e740110 YW |
316 | } else if (error == SSL_ERROR_ZERO_RETURN) { |
317 | stream->dnstls_events = 0; | |
318 | ss = 0; | |
096cbdce IT |
319 | } else { |
320 | char errbuf[256]; | |
321 | ||
322 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
323 | log_debug("Failed to invoke SSL_read: %s", errbuf); | |
8e740110 | 324 | stream->dnstls_events = 0; |
096cbdce IT |
325 | ss = -EPIPE; |
326 | } | |
8e740110 YW |
327 | } else |
328 | stream->dnstls_events = 0; | |
04c4d919 IT |
329 | |
330 | /* flush write buffer in cache of renegotiation */ | |
331 | r = dnstls_flush_write_buffer(stream); | |
332 | if (r < 0) | |
333 | return r; | |
334 | ||
096cbdce IT |
335 | return ss; |
336 | } | |
337 | ||
338 | void dnstls_server_init(DnsServer *server) { | |
339 | assert(server); | |
340 | ||
341 | server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); | |
342 | if (server->dnstls_data.ctx) { | |
343 | SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION); | |
344 | SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); | |
345 | } | |
346 | } | |
347 | ||
348 | void dnstls_server_free(DnsServer *server) { | |
349 | assert(server); | |
350 | ||
351 | if (server->dnstls_data.ctx) | |
352 | SSL_CTX_free(server->dnstls_data.ctx); | |
04c4d919 IT |
353 | |
354 | if (server->dnstls_data.session) | |
355 | SSL_SESSION_free(server->dnstls_data.session); | |
096cbdce | 356 | } |