[thirdparty/systemd.git] / src / resolve / resolved-dnstls-openssl.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
#endif

#include "resolved-dnstls.h"
#include "resolved-dns-stream.h"

#include <openssl/bio.h>
#include <openssl/err.h>

DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);

static int dnstls_flush_write_buffer(DnsStream *stream) {
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.write_buffer->length > 0) {
                assert(stream->dnstls_data.write_buffer->data);

                struct iovec iov[1];
                iov[0].iov_base = stream->dnstls_data.write_buffer->data;
                iov[0].iov_len = stream->dnstls_data.write_buffer->length;
                ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
                if (ss < 0) {
                        if (ss == -EAGAIN)
                                stream->dnstls_events |= EPOLLOUT;

                        return ss;
                } else {
                        stream->dnstls_data.write_buffer->length -= ss;
                        stream->dnstls_data.write_buffer->data += ss;

                        if (stream->dnstls_data.write_buffer->length > 0) {
                                stream->dnstls_events |= EPOLLOUT;
                                return -EAGAIN;
                        }
                }
        }

        return 0;
}

int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
        _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL;
        _cleanup_(SSL_freep) SSL *s = NULL;
        int error, r;

        assert(stream);
        assert(server);

        rb = BIO_new_socket(stream->fd, 0);
        if (!rb)
                return -ENOMEM;

        wb = BIO_new(BIO_s_mem());
        if (!wb)
                return -ENOMEM;

        BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);

        s = SSL_new(server->dnstls_data.ctx);
        if (!s)
                return -ENOMEM;

        SSL_set_connect_state(s);
        SSL_set_session(s, server->dnstls_data.session);
        SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));

        ERR_clear_error();
        stream->dnstls_data.handshake = SSL_do_handshake(s);
        if (stream->dnstls_data.handshake <= 0) {
                error = SSL_get_error(s, stream->dnstls_data.handshake);
                if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
                        return -ECONNREFUSED;
                }
        }

        stream->encrypted = true;

        r = dnstls_flush_write_buffer(stream);
        if (r < 0 && r != -EAGAIN)
                return r;

        stream->dnstls_data.ssl = TAKE_PTR(s);

        return 0;
}

void dnstls_stream_free(DnsStream *stream) {
        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.ssl)
                SSL_free(stream->dnstls_data.ssl);
}

int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
        int error, r;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);

        /* Flush write buffer when requested by OpenSSL */
        if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        if (stream->dnstls_data.shutdown) {
                ERR_clear_error();
                r = SSL_shutdown(stream->dnstls_data.ssl);
                if (r <= 0) {
                        error = SSL_get_error(stream->dnstls_data.ssl, r);
                        if (r == 0 || IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                if (r < 0)
                                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;

                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0)
                                        return r;

                                return -EAGAIN;
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
                        }
                }

                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;

                stream->dnstls_events = 0;
                stream->dnstls_data.shutdown = false;
                dns_stream_unref(stream);
                return DNSTLS_STREAM_CLOSED;
        } else if (stream->dnstls_data.handshake <= 0) {
                ERR_clear_error();
                stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
                if (stream->dnstls_data.handshake <= 0) {
                        error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
                        if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0)
                                        return r;

                                return -EAGAIN;
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
                                return -ECONNREFUSED;
                        }
                }

                stream->dnstls_events = 0;
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        return 0;
}

int dnstls_stream_shutdown(DnsStream *stream, int error) {
        int ssl_error, r;
        SSL_SESSION *s;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);

        if (stream->server) {
                s = SSL_get1_session(stream->dnstls_data.ssl);
                if (s) {
                        if (stream->server->dnstls_data.session)
                                SSL_SESSION_free(stream->server->dnstls_data.session);

                        stream->server->dnstls_data.session = s;
                }
        }

        if (error == ETIMEDOUT) {
                ERR_clear_error();
                r = SSL_shutdown(stream->dnstls_data.ssl);
                if (r == 0) {
                        if (!stream->dnstls_data.shutdown) {
                                stream->dnstls_data.shutdown = true;
                                dns_stream_ref(stream);
                        }

                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        return -EAGAIN;
                } else if (r < 0) {
                        ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
                        if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0 && r != -EAGAIN)
                                        return r;

                                if (!stream->dnstls_data.shutdown) {
                                        stream->dnstls_data.shutdown = true;
                                        dns_stream_ref(stream);
                                }
                                return -EAGAIN;
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
                        }
                }

                stream->dnstls_events = 0;
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        return 0;
}

ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
        int error, r;
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);
        assert(buf);

        ERR_clear_error();
        ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
        if (r <= 0) {
                error = SSL_get_error(stream->dnstls_data.ssl, ss);
                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        ss = -EAGAIN;
                } else {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_write: %s", errbuf);
                        ss = -EPIPE;
                }
        }

        stream->dnstls_events = 0;
        r = dnstls_flush_write_buffer(stream);
        if (r < 0)
                return r;

        return ss;
}

ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
        int error, r;
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);
        assert(buf);

        ERR_clear_error();
        ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
        if (r <= 0) {
                error = SSL_get_error(stream->dnstls_data.ssl, ss);
                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;

                        /* flush write buffer in cache of renegotiation */
                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        ss = -EAGAIN;
                } else {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_read: %s", errbuf);
                        ss = -EPIPE;
                }
        }

        stream->dnstls_events = 0;

        /* flush write buffer in cache of renegotiation */
        r = dnstls_flush_write_buffer(stream);
        if (r < 0)
                return r;

        return ss;
}

void dnstls_server_init(DnsServer *server) {
        assert(server);

        server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
        if (server->dnstls_data.ctx) {
                SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
                SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
        }
}

void dnstls_server_free(DnsServer *server) {
        assert(server);

        if (server->dnstls_data.ctx)
                SSL_CTX_free(server->dnstls_data.ctx);

        if (server->dnstls_data.session)
                SSL_SESSION_free(server->dnstls_data.session);
}
Commit	Line	Data
096cbdce IT	1	/* SPDX-License-Identifier: LGPL-2.1+ */
	2
	3	#if !ENABLE_DNS_OVER_TLS \|\| !DNS_OVER_TLS_USE_OPENSSL
	4	#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
	5	#endif
	6
	7	#include "resolved-dnstls.h"
	8	#include "resolved-dns-stream.h"
	9
	10	#include <openssl/bio.h>
	11	#include <openssl/err.h>
	12
	13	DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
	14	DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
	15
04c4d919 IT	16	static int dnstls_flush_write_buffer(DnsStream *stream) {
	17	ssize_t ss;
	18
	19	assert(stream);
	20	assert(stream->encrypted);
	21
	22	if (stream->dnstls_data.write_buffer->length > 0) {
	23	assert(stream->dnstls_data.write_buffer->data);
	24
	25	struct iovec iov[1];
	26	iov[0].iov_base = stream->dnstls_data.write_buffer->data;
	27	iov[0].iov_len = stream->dnstls_data.write_buffer->length;
	28	ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
	29	if (ss < 0) {
	30	if (ss == -EAGAIN)
	31	stream->dnstls_events \|= EPOLLOUT;
	32
	33	return ss;
	34	} else {
	35	stream->dnstls_data.write_buffer->length -= ss;
	36	stream->dnstls_data.write_buffer->data += ss;
	37
	38	if (stream->dnstls_data.write_buffer->length > 0) {
	39	stream->dnstls_events \|= EPOLLOUT;
	40	return -EAGAIN;
	41	}
	42	}
	43	}
	44
	45	return 0;
	46	}
	47
096cbdce	48	int dnstls_stream_connect_tls(DnsStream stream, DnsServer server) {
36f1946c	49	_cleanup_(BIO_freep) BIO rb = NULL, wb = NULL;
096cbdce	50	_cleanup_(SSL_freep) SSL *s = NULL;
36f1946c	51	int error, r;
096cbdce IT	52
	53	assert(stream);
	54	assert(server);
	55
04c4d919 IT	56	rb = BIO_new_socket(stream->fd, 0);
	57	if (!rb)
	58	return -ENOMEM;
	59
	60	wb = BIO_new(BIO_s_mem());
	61	if (!wb)
096cbdce IT	62	return -ENOMEM;
096cbdce IT	63
04c4d919 IT	64	BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
04c4d919 IT	65
096cbdce IT	66	s = SSL_new(server->dnstls_data.ctx);
	67	if (!s)
	68	return -ENOMEM;
	69
	70	SSL_set_connect_state(s);
04c4d919 IT	71	SSL_set_session(s, server->dnstls_data.session);
	72	SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
	73
59c3fee2	74	ERR_clear_error();
04c4d919 IT	75	stream->dnstls_data.handshake = SSL_do_handshake(s);
	76	if (stream->dnstls_data.handshake <= 0) {
	77	error = SSL_get_error(s, stream->dnstls_data.handshake);
	78	if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	79	char errbuf[256];
096cbdce	80
04c4d919 IT	81	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	82	log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
	83	return -ECONNREFUSED;
	84	}
	85	}
096cbdce IT	86
096cbdce IT	87	stream->encrypted = true;
04c4d919 IT	88
	89	r = dnstls_flush_write_buffer(stream);
	90	if (r < 0 && r != -EAGAIN)
	91	return r;
	92
096cbdce IT	93	stream->dnstls_data.ssl = TAKE_PTR(s);
	94
	95	return 0;
	96	}
	97
	98	void dnstls_stream_free(DnsStream *stream) {
	99	assert(stream);
	100	assert(stream->encrypted);
	101
	102	if (stream->dnstls_data.ssl)
	103	SSL_free(stream->dnstls_data.ssl);
	104	}
	105
04c4d919	106	int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
36f1946c	107	int error, r;
096cbdce IT	108
	109	assert(stream);
	110	assert(stream->encrypted);
	111	assert(stream->dnstls_data.ssl);
	112
36f1946c	113	/* Flush write buffer when requested by OpenSSL */
04c4d919 IT	114	if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
	115	r = dnstls_flush_write_buffer(stream);
	116	if (r < 0)
	117	return r;
	118	}
	119
096cbdce	120	if (stream->dnstls_data.shutdown) {
59c3fee2	121	ERR_clear_error();
096cbdce	122	r = SSL_shutdown(stream->dnstls_data.ssl);
04c4d919	123	if (r <= 0) {
096cbdce	124	error = SSL_get_error(stream->dnstls_data.ssl, r);
04c4d919 IT	125	if (r == 0 \|\| IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	126	if (r < 0)
	127	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
	128
	129	r = dnstls_flush_write_buffer(stream);
	130	if (r < 0)
	131	return r;
	132
096cbdce IT	133	return -EAGAIN;
	134	} else {
	135	char errbuf[256];
	136
	137	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	138	log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
	139	}
	140	}
	141
04c4d919 IT	142	r = dnstls_flush_write_buffer(stream);
	143	if (r < 0)
	144	return r;
	145
096cbdce IT	146	stream->dnstls_events = 0;
	147	stream->dnstls_data.shutdown = false;
	148	dns_stream_unref(stream);
	149	return DNSTLS_STREAM_CLOSED;
	150	} else if (stream->dnstls_data.handshake <= 0) {
59c3fee2	151	ERR_clear_error();
096cbdce IT	152	stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
	153	if (stream->dnstls_data.handshake <= 0) {
	154	error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
	155	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	156	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	157	r = dnstls_flush_write_buffer(stream);
	158	if (r < 0)
	159	return r;
	160
096cbdce IT	161	return -EAGAIN;
	162	} else {
	163	char errbuf[256];
	164
	165	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	166	log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
	167	return -ECONNREFUSED;
	168	}
	169	}
	170
	171	stream->dnstls_events = 0;
04c4d919 IT	172	r = dnstls_flush_write_buffer(stream);
	173	if (r < 0)
	174	return r;
096cbdce IT	175	}
	176
	177	return 0;
	178	}
	179
	180	int dnstls_stream_shutdown(DnsStream *stream, int error) {
36f1946c	181	int ssl_error, r;
096cbdce IT	182	SSL_SESSION *s;
	183
	184	assert(stream);
	185	assert(stream->encrypted);
	186	assert(stream->dnstls_data.ssl);
	187
04c4d919 IT	188	if (stream->server) {
	189	s = SSL_get1_session(stream->dnstls_data.ssl);
	190	if (s) {
	191	if (stream->server->dnstls_data.session)
	192	SSL_SESSION_free(stream->server->dnstls_data.session);
	193
	194	stream->server->dnstls_data.session = s;
	195	}
	196	}
	197
096cbdce	198	if (error == ETIMEDOUT) {
59c3fee2	199	ERR_clear_error();
096cbdce IT	200	r = SSL_shutdown(stream->dnstls_data.ssl);
	201	if (r == 0) {
	202	if (!stream->dnstls_data.shutdown) {
	203	stream->dnstls_data.shutdown = true;
	204	dns_stream_ref(stream);
	205	}
04c4d919 IT	206
	207	r = dnstls_flush_write_buffer(stream);
	208	if (r < 0)
	209	return r;
	210
096cbdce IT	211	return -EAGAIN;
	212	} else if (r < 0) {
	213	ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
	214	if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	215	stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	216	r = dnstls_flush_write_buffer(stream);
	217	if (r < 0 && r != -EAGAIN)
	218	return r;
	219
096cbdce IT	220	if (!stream->dnstls_data.shutdown) {
	221	stream->dnstls_data.shutdown = true;
	222	dns_stream_ref(stream);
	223	}
	224	return -EAGAIN;
	225	} else {
	226	char errbuf[256];
	227
	228	ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
	229	log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
	230	}
	231	}
04c4d919 IT	232
	233	stream->dnstls_events = 0;
	234	r = dnstls_flush_write_buffer(stream);
	235	if (r < 0)
	236	return r;
096cbdce IT	237	}
	238
	239	return 0;
	240	}
	241
	242	ssize_t dnstls_stream_write(DnsStream stream, const char buf, size_t count) {
36f1946c	243	int error, r;
096cbdce IT	244	ssize_t ss;
	245
	246	assert(stream);
	247	assert(stream->encrypted);
	248	assert(stream->dnstls_data.ssl);
	249	assert(buf);
	250
59c3fee2	251	ERR_clear_error();
096cbdce IT	252	ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
	253	if (r <= 0) {
	254	error = SSL_get_error(stream->dnstls_data.ssl, ss);
	255	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	256	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	257	r = dnstls_flush_write_buffer(stream);
	258	if (r < 0)
	259	return r;
	260
096cbdce IT	261	ss = -EAGAIN;
	262	} else {
	263	char errbuf[256];
	264
	265	ERR_error_string_n(error, errbuf, sizeof(errbuf));
36f1946c	266	log_debug("Failed to invoke SSL_write: %s", errbuf);
096cbdce IT	267	ss = -EPIPE;
	268	}
	269	}
	270
	271	stream->dnstls_events = 0;
04c4d919 IT	272	r = dnstls_flush_write_buffer(stream);
	273	if (r < 0)
	274	return r;
	275
096cbdce IT	276	return ss;
	277	}
	278
	279	ssize_t dnstls_stream_read(DnsStream stream, void buf, size_t count) {
36f1946c	280	int error, r;
096cbdce IT	281	ssize_t ss;
	282
	283	assert(stream);
	284	assert(stream->encrypted);
	285	assert(stream->dnstls_data.ssl);
	286	assert(buf);
	287
59c3fee2	288	ERR_clear_error();
096cbdce IT	289	ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
	290	if (r <= 0) {
	291	error = SSL_get_error(stream->dnstls_data.ssl, ss);
	292	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	293	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	294
	295	/* flush write buffer in cache of renegotiation */
	296	r = dnstls_flush_write_buffer(stream);
	297	if (r < 0)
	298	return r;
	299
096cbdce IT	300	ss = -EAGAIN;
	301	} else {
	302	char errbuf[256];
	303
	304	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	305	log_debug("Failed to invoke SSL_read: %s", errbuf);
	306	ss = -EPIPE;
	307	}
	308	}
	309
	310	stream->dnstls_events = 0;
04c4d919 IT	311
	312	/* flush write buffer in cache of renegotiation */
	313	r = dnstls_flush_write_buffer(stream);
	314	if (r < 0)
	315	return r;
	316
096cbdce IT	317	return ss;
	318	}
	319
	320	void dnstls_server_init(DnsServer *server) {
	321	assert(server);
	322
	323	server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
	324	if (server->dnstls_data.ctx) {
	325	SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
	326	SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
	327	}
	328	}
	329
	330	void dnstls_server_free(DnsServer *server) {
	331	assert(server);
	332
	333	if (server->dnstls_data.ctx)
	334	SSL_CTX_free(server->dnstls_data.ctx);
04c4d919 IT	335
	336	if (server->dnstls_data.session)
	337	SSL_SESSION_free(server->dnstls_data.session);
096cbdce	338	}