]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dnstls-openssl.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
resolve: fix typo and coding style cleanups
[thirdparty/systemd.git] / src / resolve / resolved-dnstls-openssl.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
4 #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
5 #endif
6
7 #include "resolved-dnstls.h"
8 #include "resolved-dns-stream.h"
9
10 #include <openssl/bio.h>
11 #include <openssl/err.h>
12
13 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
14 DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
15
16 static int dnstls_flush_write_buffer(DnsStream *stream) {
17 ssize_t ss;
18
19 assert(stream);
20 assert(stream->encrypted);
21
22 if (stream->dnstls_data.write_buffer->length > 0) {
23 assert(stream->dnstls_data.write_buffer->data);
24
25 struct iovec iov[1];
26 iov[0].iov_base = stream->dnstls_data.write_buffer->data;
27 iov[0].iov_len = stream->dnstls_data.write_buffer->length;
28 ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
29 if (ss < 0) {
30 if (ss == -EAGAIN)
31 stream->dnstls_events |= EPOLLOUT;
32
33 return ss;
34 } else {
35 stream->dnstls_data.write_buffer->length -= ss;
36 stream->dnstls_data.write_buffer->data += ss;
37
38 if (stream->dnstls_data.write_buffer->length > 0) {
39 stream->dnstls_events |= EPOLLOUT;
40 return -EAGAIN;
41 }
42 }
43 }
44
45 return 0;
46 }
47
48 int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
49 _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL;
50 _cleanup_(SSL_freep) SSL *s = NULL;
51 int error, r;
52
53 assert(stream);
54 assert(server);
55
56 rb = BIO_new_socket(stream->fd, 0);
57 if (!rb)
58 return -ENOMEM;
59
60 wb = BIO_new(BIO_s_mem());
61 if (!wb)
62 return -ENOMEM;
63
64 BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
65
66 s = SSL_new(server->dnstls_data.ctx);
67 if (!s)
68 return -ENOMEM;
69
70 SSL_set_connect_state(s);
71 SSL_set_session(s, server->dnstls_data.session);
72 SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
73
74 ERR_clear_error();
75 stream->dnstls_data.handshake = SSL_do_handshake(s);
76 if (stream->dnstls_data.handshake <= 0) {
77 error = SSL_get_error(s, stream->dnstls_data.handshake);
78 if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
79 char errbuf[256];
80
81 ERR_error_string_n(error, errbuf, sizeof(errbuf));
82 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
83 return -ECONNREFUSED;
84 }
85 }
86
87 stream->encrypted = true;
88
89 r = dnstls_flush_write_buffer(stream);
90 if (r < 0 && r != -EAGAIN)
91 return r;
92
93 stream->dnstls_data.ssl = TAKE_PTR(s);
94
95 return 0;
96 }
97
98 void dnstls_stream_free(DnsStream *stream) {
99 assert(stream);
100 assert(stream->encrypted);
101
102 if (stream->dnstls_data.ssl)
103 SSL_free(stream->dnstls_data.ssl);
104 }
105
106 int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
107 int error, r;
108
109 assert(stream);
110 assert(stream->encrypted);
111 assert(stream->dnstls_data.ssl);
112
113 /* Flush write buffer when requested by OpenSSL */
114 if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
115 r = dnstls_flush_write_buffer(stream);
116 if (r < 0)
117 return r;
118 }
119
120 if (stream->dnstls_data.shutdown) {
121 ERR_clear_error();
122 r = SSL_shutdown(stream->dnstls_data.ssl);
123 if (r <= 0) {
124 error = SSL_get_error(stream->dnstls_data.ssl, r);
125 if (r == 0 || IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
126 if (r < 0)
127 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
128
129 r = dnstls_flush_write_buffer(stream);
130 if (r < 0)
131 return r;
132
133 return -EAGAIN;
134 } else {
135 char errbuf[256];
136
137 ERR_error_string_n(error, errbuf, sizeof(errbuf));
138 log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
139 }
140 }
141
142 r = dnstls_flush_write_buffer(stream);
143 if (r < 0)
144 return r;
145
146 stream->dnstls_events = 0;
147 stream->dnstls_data.shutdown = false;
148 dns_stream_unref(stream);
149 return DNSTLS_STREAM_CLOSED;
150 } else if (stream->dnstls_data.handshake <= 0) {
151 ERR_clear_error();
152 stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
153 if (stream->dnstls_data.handshake <= 0) {
154 error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
155 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
156 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
157 r = dnstls_flush_write_buffer(stream);
158 if (r < 0)
159 return r;
160
161 return -EAGAIN;
162 } else {
163 char errbuf[256];
164
165 ERR_error_string_n(error, errbuf, sizeof(errbuf));
166 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
167 return -ECONNREFUSED;
168 }
169 }
170
171 stream->dnstls_events = 0;
172 r = dnstls_flush_write_buffer(stream);
173 if (r < 0)
174 return r;
175 }
176
177 return 0;
178 }
179
180 int dnstls_stream_shutdown(DnsStream *stream, int error) {
181 int ssl_error, r;
182 SSL_SESSION *s;
183
184 assert(stream);
185 assert(stream->encrypted);
186 assert(stream->dnstls_data.ssl);
187
188 if (stream->server) {
189 s = SSL_get1_session(stream->dnstls_data.ssl);
190 if (s) {
191 if (stream->server->dnstls_data.session)
192 SSL_SESSION_free(stream->server->dnstls_data.session);
193
194 stream->server->dnstls_data.session = s;
195 }
196 }
197
198 if (error == ETIMEDOUT) {
199 ERR_clear_error();
200 r = SSL_shutdown(stream->dnstls_data.ssl);
201 if (r == 0) {
202 if (!stream->dnstls_data.shutdown) {
203 stream->dnstls_data.shutdown = true;
204 dns_stream_ref(stream);
205 }
206
207 r = dnstls_flush_write_buffer(stream);
208 if (r < 0)
209 return r;
210
211 return -EAGAIN;
212 } else if (r < 0) {
213 ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
214 if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
215 stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
216 r = dnstls_flush_write_buffer(stream);
217 if (r < 0 && r != -EAGAIN)
218 return r;
219
220 if (!stream->dnstls_data.shutdown) {
221 stream->dnstls_data.shutdown = true;
222 dns_stream_ref(stream);
223 }
224 return -EAGAIN;
225 } else {
226 char errbuf[256];
227
228 ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
229 log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
230 }
231 }
232
233 stream->dnstls_events = 0;
234 r = dnstls_flush_write_buffer(stream);
235 if (r < 0)
236 return r;
237 }
238
239 return 0;
240 }
241
242 ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
243 int error, r;
244 ssize_t ss;
245
246 assert(stream);
247 assert(stream->encrypted);
248 assert(stream->dnstls_data.ssl);
249 assert(buf);
250
251 ERR_clear_error();
252 ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
253 if (r <= 0) {
254 error = SSL_get_error(stream->dnstls_data.ssl, ss);
255 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
256 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
257 r = dnstls_flush_write_buffer(stream);
258 if (r < 0)
259 return r;
260
261 ss = -EAGAIN;
262 } else {
263 char errbuf[256];
264
265 ERR_error_string_n(error, errbuf, sizeof(errbuf));
266 log_debug("Failed to invoke SSL_write: %s", errbuf);
267 ss = -EPIPE;
268 }
269 }
270
271 stream->dnstls_events = 0;
272 r = dnstls_flush_write_buffer(stream);
273 if (r < 0)
274 return r;
275
276 return ss;
277 }
278
279 ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
280 int error, r;
281 ssize_t ss;
282
283 assert(stream);
284 assert(stream->encrypted);
285 assert(stream->dnstls_data.ssl);
286 assert(buf);
287
288 ERR_clear_error();
289 ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
290 if (r <= 0) {
291 error = SSL_get_error(stream->dnstls_data.ssl, ss);
292 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
293 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
294
295 /* flush write buffer in cache of renegotiation */
296 r = dnstls_flush_write_buffer(stream);
297 if (r < 0)
298 return r;
299
300 ss = -EAGAIN;
301 } else {
302 char errbuf[256];
303
304 ERR_error_string_n(error, errbuf, sizeof(errbuf));
305 log_debug("Failed to invoke SSL_read: %s", errbuf);
306 ss = -EPIPE;
307 }
308 }
309
310 stream->dnstls_events = 0;
311
312 /* flush write buffer in cache of renegotiation */
313 r = dnstls_flush_write_buffer(stream);
314 if (r < 0)
315 return r;
316
317 return ss;
318 }
319
320 void dnstls_server_init(DnsServer *server) {
321 assert(server);
322
323 server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
324 if (server->dnstls_data.ctx) {
325 SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
326 SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
327 }
328 }
329
330 void dnstls_server_free(DnsServer *server) {
331 assert(server);
332
333 if (server->dnstls_data.ctx)
334 SSL_CTX_free(server->dnstls_data.ctx);
335
336 if (server->dnstls_data.session)
337 SSL_SESSION_free(server->dnstls_data.session);
338 }
Unnamed repository; edit this file 'description' to name the repository.