'DNSSEC_' + default_dnssec.underscorify().to_upper())
substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
+dns_over_tls = get_option('dns-over-tls')
+if dns_over_tls != 'false'
+ have = conf.get('HAVE_GNUTLS') == 1
+ if dns_over_tls == 'true' and not have
+ error('DNS-over-TLS support was requested, but dependencies are not available')
+ endif
+else
+ have = false
+endif
+conf.set10('ENABLE_DNS_OVER_TLS', have)
+
default_dns_over_tls = get_option('default-dns-over-tls')
if fuzzer_build
default_dns_over_tls = 'no'
endif
-if default_dns_over_tls != 'no' and conf.get('HAVE_GNUTLS') == 0
- message('default-dns-over-tls cannot be set to strict or opportunistic when gnutls is disabled. Setting default-dns-over-tls to no.')
+if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
+ message('default-dns-over-tls cannot be set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.')
default_dns_over_tls = 'no'
endif
conf.set('DEFAULT_DNS_OVER_TLS_MODE',
link_with : [libshared,
libbasic_gcrypt,
libsystemd_resolve_core],
- dependencies : [threads,
- libgnutls,
- libgpg_error,
- libm,
- libidn],
+ dependencies : systemd_resolved_dependencies,
install_rpath : rootlibexecdir,
install : true,
install_dir : rootlibexecdir)
['localed'],
['networkd'],
['resolve'],
+ ['DNS-over-TLS'],
['coredump'],
['polkit'],
['legacy pkla', install_polkit_pkla],
description : 'default DNS-over-TLS mode',
choices : ['opportunistic', 'no'],
value : 'no')
+option('dns-over-tls', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'DNS-over-TLS support')
option('dns-servers', type : 'string',
description : 'space-separated list of default DNS servers',
value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')
systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c]
+systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn]
+if conf.get('ENABLE_DNS_OVER_TLS') == 1
+ systemd_resolved_dependencies += [libgnutls]
+endif
+
if conf.get('ENABLE_RESOLVE') == 1
install_data('org.freedesktop.resolve1.conf',
install_dir : dbuspolicydir)
}
#endif
-#if ! HAVE_GNUTLS
+#if ! ENABLE_DNS_OVER_TLS
if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
- log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support.");
+ log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
m->dns_over_tls_mode = DNS_OVER_TLS_NO;
}
#endif
s->linked = true;
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
/* Do not verify cerificate */
gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
#endif
dns_stream_unref(s->stream);
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (s->tls_cert_cred)
gnutls_certificate_free_credentials(s->tls_cert_cred);
#include "in-addr-util.h"
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
#include <gnutls/gnutls.h>
#endif
char *server_string;
DnsStream *stream;
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
gnutls_certificate_credentials_t tls_cert_cred;
gnutls_datum_t tls_session_data;
#endif
static int dns_stream_complete(DnsStream *s, int error) {
assert(s);
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
int r;
assert(s);
assert(iov);
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
ssize_t ss;
size_t i;
static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
ssize_t ss;
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (s->tls_session) {
ss = gnutls_record_recv(s->tls_session, buf, count);
if (ss < 0) {
return ss;
}
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
int r;
assert(s);
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (s->tls_bye) {
assert(s->tls_session);
s->manager->n_dns_streams--;
}
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (s->tls_session)
gnutls_deinit(s->tls_session);
#endif
return 0;
}
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);
#include "resolved-dns-transaction.h"
#include "resolved-manager.h"
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
#include <gnutls/gnutls.h>
#endif
union sockaddr_union tfo_address;
socklen_t tfo_salen;
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
gnutls_session_t tls_session;
int tls_handshake;
bool tls_bye;
};
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
#endif
DnsStream *dns_stream_unref(DnsStream *s);
#include "resolved-llmnr.h"
#include "string-table.h"
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
#include <gnutls/socket.h>
#endif
}
static int on_stream_connection(DnsStream *s) {
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
/* Store TLS Ticket for faster succesive TLS handshakes */
if (s->tls_session && s->server) {
if (s->server->tls_session_data.data)
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
union sockaddr_union sa;
int r;
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
gnutls_session_t gs;
#endif
s->server = dns_server_ref(t->server);
}
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
if (r < 0)
assert(l);
-#if ! HAVE_GNUTLS
+#if ! ENABLE_DNS_OVER_TLS
if (mode != DNS_OVER_TLS_NO)
- log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support.");
+ log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
return;
#endif