[thirdparty/systemd.git] / src / resolve / resolved-dnstls-openssl.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
#endif

#include <openssl/bio.h>
#include <openssl/err.h>

#include "io-util.h"
#include "resolved-dns-stream.h"
#include "resolved-dnstls.h"

DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);

static int dnstls_flush_write_buffer(DnsStream *stream) {
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.write_buffer->length > 0) {
                assert(stream->dnstls_data.write_buffer->data);

                struct iovec iov[1];
                iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data,
                                    stream->dnstls_data.write_buffer->length);
                ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
                if (ss < 0) {
                        if (ss == -EAGAIN)
                                stream->dnstls_events |= EPOLLOUT;

                        return ss;
                } else {
                        stream->dnstls_data.write_buffer->length -= ss;
                        stream->dnstls_data.write_buffer->data += ss;

                        if (stream->dnstls_data.write_buffer->length > 0) {
                                stream->dnstls_events |= EPOLLOUT;
                                return -EAGAIN;
                        }
                }
        }

        return 0;
}

int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
        _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL;
        _cleanup_(SSL_freep) SSL *s = NULL;
        int error, r;

        assert(stream);
        assert(server);

        rb = BIO_new_socket(stream->fd, 0);
        if (!rb)
                return -ENOMEM;

        wb = BIO_new(BIO_s_mem());
        if (!wb)
                return -ENOMEM;

        BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);

        s = SSL_new(server->dnstls_data.ctx);
        if (!s)
                return -ENOMEM;

        SSL_set_connect_state(s);
        SSL_set_session(s, server->dnstls_data.session);
        SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));

        ERR_clear_error();
        stream->dnstls_data.handshake = SSL_do_handshake(s);
        if (stream->dnstls_data.handshake <= 0) {
                error = SSL_get_error(s, stream->dnstls_data.handshake);
                if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
                        return -ECONNREFUSED;
                }
        }

        stream->encrypted = true;

        r = dnstls_flush_write_buffer(stream);
        if (r < 0 && r != -EAGAIN)
                return r;

        stream->dnstls_data.ssl = TAKE_PTR(s);

        return 0;
}

void dnstls_stream_free(DnsStream *stream) {
        assert(stream);
        assert(stream->encrypted);

        if (stream->dnstls_data.ssl)
                SSL_free(stream->dnstls_data.ssl);
}

int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
        int error, r;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);

        /* Flush write buffer when requested by OpenSSL */
        if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        if (stream->dnstls_data.shutdown) {
                ERR_clear_error();
                r = SSL_shutdown(stream->dnstls_data.ssl);
                if (r == 0) {
                        stream->dnstls_events = 0;

                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        return -EAGAIN;
                } else if (r < 0) {
                        error = SSL_get_error(stream->dnstls_data.ssl, r);
                        if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;

                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0)
                                        return r;

                                return -EAGAIN;
                        } else if (error == SSL_ERROR_SYSCALL) {
                                if (errno > 0)
                                        log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
                        }
                }

                stream->dnstls_events = 0;
                stream->dnstls_data.shutdown = false;

                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;

                dns_stream_unref(stream);
                return DNSTLS_STREAM_CLOSED;
        } else if (stream->dnstls_data.handshake <= 0) {
                ERR_clear_error();
                stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
                if (stream->dnstls_data.handshake <= 0) {
                        error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
                        if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0)
                                        return r;

                                return -EAGAIN;
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
                                return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
                                                       "Failed to invoke SSL_do_handshake: %s",
                                                       errbuf);
                        }
                }

                stream->dnstls_events = 0;
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        return 0;
}

int dnstls_stream_shutdown(DnsStream *stream, int error) {
        int ssl_error, r;
        SSL_SESSION *s;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);

        if (stream->server) {
                s = SSL_get1_session(stream->dnstls_data.ssl);
                if (s) {
                        if (stream->server->dnstls_data.session)
                                SSL_SESSION_free(stream->server->dnstls_data.session);

                        stream->server->dnstls_data.session = s;
                }
        }

        if (error == ETIMEDOUT) {
                ERR_clear_error();
                r = SSL_shutdown(stream->dnstls_data.ssl);
                if (r == 0) {
                        if (!stream->dnstls_data.shutdown) {
                                stream->dnstls_data.shutdown = true;
                                dns_stream_ref(stream);
                        }

                        stream->dnstls_events = 0;

                        r = dnstls_flush_write_buffer(stream);
                        if (r < 0)
                                return r;

                        return -EAGAIN;
                } else if (r < 0) {
                        ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
                        if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                                stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                                r = dnstls_flush_write_buffer(stream);
                                if (r < 0 && r != -EAGAIN)
                                        return r;

                                if (!stream->dnstls_data.shutdown) {
                                        stream->dnstls_data.shutdown = true;
                                        dns_stream_ref(stream);
                                }
                                return -EAGAIN;
                        } else if (ssl_error == SSL_ERROR_SYSCALL) {
                                if (errno > 0)
                                        log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
                        } else {
                                char errbuf[256];

                                ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
                        }
                }

                stream->dnstls_events = 0;
                r = dnstls_flush_write_buffer(stream);
                if (r < 0)
                        return r;
        }

        return 0;
}

ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
        int error, r;
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);
        assert(buf);

        ERR_clear_error();
        ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
        if (r <= 0) {
                error = SSL_get_error(stream->dnstls_data.ssl, r);
                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                        ss = -EAGAIN;
                } else if (error == SSL_ERROR_ZERO_RETURN) {
                        stream->dnstls_events = 0;
                        ss = 0;
                } else {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_write: %s", errbuf);
                        stream->dnstls_events = 0;
                        ss = -EPIPE;
                }
        } else
                stream->dnstls_events = 0;

        r = dnstls_flush_write_buffer(stream);
        if (r < 0)
                return r;

        return ss;
}

ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
        int error, r;
        ssize_t ss;

        assert(stream);
        assert(stream->encrypted);
        assert(stream->dnstls_data.ssl);
        assert(buf);

        ERR_clear_error();
        ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
        if (r <= 0) {
                error = SSL_get_error(stream->dnstls_data.ssl, r);
                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
                        stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
                        ss = -EAGAIN;
                } else if (error == SSL_ERROR_ZERO_RETURN) {
                        stream->dnstls_events = 0;
                        ss = 0;
                } else {
                        char errbuf[256];

                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
                        log_debug("Failed to invoke SSL_read: %s", errbuf);
                        stream->dnstls_events = 0;
                        ss = -EPIPE;
                }
        } else
                stream->dnstls_events = 0;

        /* flush write buffer in cache of renegotiation */
        r = dnstls_flush_write_buffer(stream);
        if (r < 0)
                return r;

        return ss;
}

void dnstls_server_init(DnsServer *server) {
        assert(server);

        server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
        if (server->dnstls_data.ctx) {
                SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
                SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
        }
}

void dnstls_server_free(DnsServer *server) {
        assert(server);

        if (server->dnstls_data.ctx)
                SSL_CTX_free(server->dnstls_data.ctx);

        if (server->dnstls_data.session)
                SSL_SESSION_free(server->dnstls_data.session);
}
Commit	Line	Data
096cbdce IT	1	/* SPDX-License-Identifier: LGPL-2.1+ */
	2
	3	#if !ENABLE_DNS_OVER_TLS \|\| !DNS_OVER_TLS_USE_OPENSSL
	4	#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
	5	#endif
	6
096cbdce IT	7	#include <openssl/bio.h>
	8	#include <openssl/err.h>
	9
29e719ce	10	#include "io-util.h"
72938b93 YW	11	#include "resolved-dns-stream.h"
	12	#include "resolved-dnstls.h"
	13
096cbdce IT	14	DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
	15	DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
	16
04c4d919 IT	17	static int dnstls_flush_write_buffer(DnsStream *stream) {
	18	ssize_t ss;
	19
	20	assert(stream);
	21	assert(stream->encrypted);
	22
	23	if (stream->dnstls_data.write_buffer->length > 0) {
	24	assert(stream->dnstls_data.write_buffer->data);
	25
	26	struct iovec iov[1];
5cfa2c3d LP	27	iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data,
5cfa2c3d LP	28	stream->dnstls_data.write_buffer->length);
04c4d919 IT	29	ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
	30	if (ss < 0) {
	31	if (ss == -EAGAIN)
	32	stream->dnstls_events \|= EPOLLOUT;
	33
	34	return ss;
	35	} else {
	36	stream->dnstls_data.write_buffer->length -= ss;
53d64ebb	37	stream->dnstls_data.write_buffer->data += ss;
04c4d919 IT	38
	39	if (stream->dnstls_data.write_buffer->length > 0) {
	40	stream->dnstls_events \|= EPOLLOUT;
	41	return -EAGAIN;
	42	}
	43	}
	44	}
	45
	46	return 0;
	47	}
	48
096cbdce	49	int dnstls_stream_connect_tls(DnsStream stream, DnsServer server) {
36f1946c	50	_cleanup_(BIO_freep) BIO rb = NULL, wb = NULL;
096cbdce	51	_cleanup_(SSL_freep) SSL *s = NULL;
36f1946c	52	int error, r;
096cbdce IT	53
	54	assert(stream);
	55	assert(server);
	56
04c4d919 IT	57	rb = BIO_new_socket(stream->fd, 0);
	58	if (!rb)
	59	return -ENOMEM;
	60
	61	wb = BIO_new(BIO_s_mem());
	62	if (!wb)
096cbdce IT	63	return -ENOMEM;
096cbdce IT	64
04c4d919 IT	65	BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
04c4d919 IT	66
096cbdce IT	67	s = SSL_new(server->dnstls_data.ctx);
	68	if (!s)
	69	return -ENOMEM;
	70
	71	SSL_set_connect_state(s);
04c4d919 IT	72	SSL_set_session(s, server->dnstls_data.session);
	73	SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
	74
59c3fee2	75	ERR_clear_error();
04c4d919 IT	76	stream->dnstls_data.handshake = SSL_do_handshake(s);
	77	if (stream->dnstls_data.handshake <= 0) {
	78	error = SSL_get_error(s, stream->dnstls_data.handshake);
	79	if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	80	char errbuf[256];
096cbdce	81
04c4d919 IT	82	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	83	log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
	84	return -ECONNREFUSED;
	85	}
	86	}
096cbdce IT	87
096cbdce IT	88	stream->encrypted = true;
04c4d919 IT	89
	90	r = dnstls_flush_write_buffer(stream);
	91	if (r < 0 && r != -EAGAIN)
	92	return r;
	93
096cbdce IT	94	stream->dnstls_data.ssl = TAKE_PTR(s);
	95
	96	return 0;
	97	}
	98
	99	void dnstls_stream_free(DnsStream *stream) {
	100	assert(stream);
	101	assert(stream->encrypted);
	102
	103	if (stream->dnstls_data.ssl)
	104	SSL_free(stream->dnstls_data.ssl);
	105	}
	106
04c4d919	107	int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
36f1946c	108	int error, r;
096cbdce IT	109
	110	assert(stream);
	111	assert(stream->encrypted);
	112	assert(stream->dnstls_data.ssl);
	113
36f1946c	114	/* Flush write buffer when requested by OpenSSL */
04c4d919 IT	115	if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
	116	r = dnstls_flush_write_buffer(stream);
	117	if (r < 0)
	118	return r;
	119	}
	120
096cbdce	121	if (stream->dnstls_data.shutdown) {
59c3fee2	122	ERR_clear_error();
096cbdce	123	r = SSL_shutdown(stream->dnstls_data.ssl);
8eadd291 YW	124	if (r == 0) {
	125	stream->dnstls_events = 0;
	126
	127	r = dnstls_flush_write_buffer(stream);
	128	if (r < 0)
	129	return r;
	130
	131	return -EAGAIN;
	132	} else if (r < 0) {
096cbdce	133	error = SSL_get_error(stream->dnstls_data.ssl, r);
8eadd291 YW	134	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
8eadd291 YW	135	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	136
	137	r = dnstls_flush_write_buffer(stream);
	138	if (r < 0)
	139	return r;
	140
096cbdce	141	return -EAGAIN;
8eadd291 YW	142	} else if (error == SSL_ERROR_SYSCALL) {
	143	if (errno > 0)
	144	log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
096cbdce IT	145	} else {
	146	char errbuf[256];
	147
	148	ERR_error_string_n(error, errbuf, sizeof(errbuf));
8eadd291	149	log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
096cbdce IT	150	}
	151	}
	152
8eadd291 YW	153	stream->dnstls_events = 0;
	154	stream->dnstls_data.shutdown = false;
	155
04c4d919 IT	156	r = dnstls_flush_write_buffer(stream);
	157	if (r < 0)
	158	return r;
	159
096cbdce IT	160	dns_stream_unref(stream);
	161	return DNSTLS_STREAM_CLOSED;
	162	} else if (stream->dnstls_data.handshake <= 0) {
59c3fee2	163	ERR_clear_error();
096cbdce IT	164	stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
	165	if (stream->dnstls_data.handshake <= 0) {
	166	error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
	167	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	168	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	169	r = dnstls_flush_write_buffer(stream);
	170	if (r < 0)
	171	return r;
	172
096cbdce IT	173	return -EAGAIN;
	174	} else {
	175	char errbuf[256];
	176
	177	ERR_error_string_n(error, errbuf, sizeof(errbuf));
baaa35ad ZJS	178	return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
	179	"Failed to invoke SSL_do_handshake: %s",
	180	errbuf);
096cbdce IT	181	}
	182	}
	183
	184	stream->dnstls_events = 0;
04c4d919 IT	185	r = dnstls_flush_write_buffer(stream);
	186	if (r < 0)
	187	return r;
096cbdce IT	188	}
	189
	190	return 0;
	191	}
	192
	193	int dnstls_stream_shutdown(DnsStream *stream, int error) {
36f1946c	194	int ssl_error, r;
096cbdce IT	195	SSL_SESSION *s;
	196
	197	assert(stream);
	198	assert(stream->encrypted);
	199	assert(stream->dnstls_data.ssl);
	200
04c4d919 IT	201	if (stream->server) {
	202	s = SSL_get1_session(stream->dnstls_data.ssl);
	203	if (s) {
	204	if (stream->server->dnstls_data.session)
	205	SSL_SESSION_free(stream->server->dnstls_data.session);
	206
	207	stream->server->dnstls_data.session = s;
	208	}
	209	}
	210
096cbdce	211	if (error == ETIMEDOUT) {
59c3fee2	212	ERR_clear_error();
096cbdce IT	213	r = SSL_shutdown(stream->dnstls_data.ssl);
	214	if (r == 0) {
	215	if (!stream->dnstls_data.shutdown) {
	216	stream->dnstls_data.shutdown = true;
	217	dns_stream_ref(stream);
	218	}
04c4d919	219
8eadd291 YW	220	stream->dnstls_events = 0;
8eadd291 YW	221
04c4d919 IT	222	r = dnstls_flush_write_buffer(stream);
	223	if (r < 0)
	224	return r;
	225
096cbdce IT	226	return -EAGAIN;
	227	} else if (r < 0) {
	228	ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
	229	if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	230	stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
04c4d919 IT	231	r = dnstls_flush_write_buffer(stream);
	232	if (r < 0 && r != -EAGAIN)
	233	return r;
	234
096cbdce IT	235	if (!stream->dnstls_data.shutdown) {
	236	stream->dnstls_data.shutdown = true;
	237	dns_stream_ref(stream);
	238	}
	239	return -EAGAIN;
8eadd291 YW	240	} else if (ssl_error == SSL_ERROR_SYSCALL) {
	241	if (errno > 0)
	242	log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
096cbdce IT	243	} else {
	244	char errbuf[256];
	245
	246	ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
8eadd291	247	log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
096cbdce IT	248	}
096cbdce IT	249	}
04c4d919 IT	250
	251	stream->dnstls_events = 0;
	252	r = dnstls_flush_write_buffer(stream);
	253	if (r < 0)
	254	return r;
096cbdce IT	255	}
	256
	257	return 0;
	258	}
	259
	260	ssize_t dnstls_stream_write(DnsStream stream, const char buf, size_t count) {
36f1946c	261	int error, r;
096cbdce IT	262	ssize_t ss;
	263
	264	assert(stream);
	265	assert(stream->encrypted);
	266	assert(stream->dnstls_data.ssl);
	267	assert(buf);
	268
59c3fee2	269	ERR_clear_error();
096cbdce IT	270	ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
096cbdce IT	271	if (r <= 0) {
8e740110	272	error = SSL_get_error(stream->dnstls_data.ssl, r);
096cbdce IT	273	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	274	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
	275	ss = -EAGAIN;
8e740110 YW	276	} else if (error == SSL_ERROR_ZERO_RETURN) {
	277	stream->dnstls_events = 0;
	278	ss = 0;
096cbdce IT	279	} else {
	280	char errbuf[256];
	281
	282	ERR_error_string_n(error, errbuf, sizeof(errbuf));
36f1946c	283	log_debug("Failed to invoke SSL_write: %s", errbuf);
8e740110	284	stream->dnstls_events = 0;
096cbdce IT	285	ss = -EPIPE;
096cbdce IT	286	}
8e740110 YW	287	} else
8e740110 YW	288	stream->dnstls_events = 0;
096cbdce	289
04c4d919 IT	290	r = dnstls_flush_write_buffer(stream);
	291	if (r < 0)
	292	return r;
	293
096cbdce IT	294	return ss;
	295	}
	296
	297	ssize_t dnstls_stream_read(DnsStream stream, void buf, size_t count) {
36f1946c	298	int error, r;
096cbdce IT	299	ssize_t ss;
	300
	301	assert(stream);
	302	assert(stream->encrypted);
	303	assert(stream->dnstls_data.ssl);
	304	assert(buf);
	305
59c3fee2	306	ERR_clear_error();
096cbdce IT	307	ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
096cbdce IT	308	if (r <= 0) {
8e740110	309	error = SSL_get_error(stream->dnstls_data.ssl, r);
096cbdce IT	310	if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
	311	stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
	312	ss = -EAGAIN;
8e740110 YW	313	} else if (error == SSL_ERROR_ZERO_RETURN) {
	314	stream->dnstls_events = 0;
	315	ss = 0;
096cbdce IT	316	} else {
	317	char errbuf[256];
	318
	319	ERR_error_string_n(error, errbuf, sizeof(errbuf));
	320	log_debug("Failed to invoke SSL_read: %s", errbuf);
8e740110	321	stream->dnstls_events = 0;
096cbdce IT	322	ss = -EPIPE;
096cbdce IT	323	}
8e740110 YW	324	} else
8e740110 YW	325	stream->dnstls_events = 0;
04c4d919 IT	326
	327	/* flush write buffer in cache of renegotiation */
	328	r = dnstls_flush_write_buffer(stream);
	329	if (r < 0)
	330	return r;
	331
096cbdce IT	332	return ss;
	333	}
	334
	335	void dnstls_server_init(DnsServer *server) {
	336	assert(server);
	337
	338	server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
	339	if (server->dnstls_data.ctx) {
	340	SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
	341	SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
	342	}
	343	}
	344
	345	void dnstls_server_free(DnsServer *server) {
	346	assert(server);
	347
	348	if (server->dnstls_data.ctx)
	349	SSL_CTX_free(server->dnstls_data.ctx);
04c4d919 IT	350
	351	if (server->dnstls_data.session)
	352	SSL_SESSION_free(server->dnstls_data.session);
096cbdce	353	}