]>
Commit | Line | Data |
---|---|---|
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ | |
2 | ||
3 | #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL | |
4 | #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available. | |
5 | #endif | |
6 | ||
7 | #include <openssl/bio.h> | |
8 | #include <openssl/err.h> | |
9 | ||
10 | #include "io-util.h" | |
11 | #include "resolved-dns-stream.h" | |
12 | #include "resolved-dnstls.h" | |
13 | ||
14 | DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free); | |
15 | DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free); | |
16 | ||
17 | static int dnstls_flush_write_buffer(DnsStream *stream) { | |
18 | ssize_t ss; | |
19 | ||
20 | assert(stream); | |
21 | assert(stream->encrypted); | |
22 | ||
23 | if (stream->dnstls_data.buffer_offset < stream->dnstls_data.write_buffer->length) { | |
24 | assert(stream->dnstls_data.write_buffer->data); | |
25 | ||
26 | struct iovec iov[1]; | |
27 | iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data + stream->dnstls_data.buffer_offset, | |
28 | stream->dnstls_data.write_buffer->length - stream->dnstls_data.buffer_offset); | |
29 | ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA); | |
30 | if (ss < 0) { | |
31 | if (ss == -EAGAIN) | |
32 | stream->dnstls_events |= EPOLLOUT; | |
33 | ||
34 | return ss; | |
35 | } else { | |
36 | stream->dnstls_data.buffer_offset += ss; | |
37 | ||
38 | if (stream->dnstls_data.buffer_offset < stream->dnstls_data.write_buffer->length) { | |
39 | stream->dnstls_events |= EPOLLOUT; | |
40 | return -EAGAIN; | |
41 | } else { | |
42 | BIO_reset(SSL_get_wbio(stream->dnstls_data.ssl)); | |
43 | stream->dnstls_data.buffer_offset = 0; | |
44 | } | |
45 | } | |
46 | } | |
47 | ||
48 | return 0; | |
49 | } | |
50 | ||
51 | int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { | |
52 | _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL; | |
53 | _cleanup_(SSL_freep) SSL *s = NULL; | |
54 | int error, r; | |
55 | ||
56 | assert(stream); | |
57 | assert(stream->manager); | |
58 | assert(server); | |
59 | ||
60 | rb = BIO_new_socket(stream->fd, 0); | |
61 | if (!rb) | |
62 | return -ENOMEM; | |
63 | ||
64 | wb = BIO_new(BIO_s_mem()); | |
65 | if (!wb) | |
66 | return -ENOMEM; | |
67 | ||
68 | BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer); | |
69 | stream->dnstls_data.buffer_offset = 0; | |
70 | ||
71 | s = SSL_new(stream->manager->dnstls_data.ctx); | |
72 | if (!s) | |
73 | return -ENOMEM; | |
74 | ||
75 | SSL_set_connect_state(s); | |
76 | SSL_set_session(s, server->dnstls_data.session); | |
77 | SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb)); | |
78 | ||
79 | ERR_clear_error(); | |
80 | stream->dnstls_data.handshake = SSL_do_handshake(s); | |
81 | if (stream->dnstls_data.handshake <= 0) { | |
82 | error = SSL_get_error(s, stream->dnstls_data.handshake); | |
83 | if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
84 | char errbuf[256]; | |
85 | ||
86 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
87 | log_debug("Failed to invoke SSL_do_handshake: %s", errbuf); | |
88 | return -ECONNREFUSED; | |
89 | } | |
90 | } | |
91 | ||
92 | stream->encrypted = true; | |
93 | stream->dnstls_data.ssl = TAKE_PTR(s); | |
94 | ||
95 | r = dnstls_flush_write_buffer(stream); | |
96 | if (r < 0 && r != -EAGAIN) { | |
97 | SSL_free(TAKE_PTR(stream->dnstls_data.ssl)); | |
98 | return r; | |
99 | } | |
100 | ||
101 | return 0; | |
102 | } | |
103 | ||
104 | void dnstls_stream_free(DnsStream *stream) { | |
105 | assert(stream); | |
106 | assert(stream->encrypted); | |
107 | ||
108 | if (stream->dnstls_data.ssl) | |
109 | SSL_free(stream->dnstls_data.ssl); | |
110 | } | |
111 | ||
112 | int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { | |
113 | int error, r; | |
114 | ||
115 | assert(stream); | |
116 | assert(stream->encrypted); | |
117 | assert(stream->dnstls_data.ssl); | |
118 | ||
119 | /* Flush write buffer when requested by OpenSSL */ | |
120 | if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) { | |
121 | r = dnstls_flush_write_buffer(stream); | |
122 | if (r < 0) | |
123 | return r; | |
124 | } | |
125 | ||
126 | if (stream->dnstls_data.shutdown) { | |
127 | ERR_clear_error(); | |
128 | r = SSL_shutdown(stream->dnstls_data.ssl); | |
129 | if (r == 0) { | |
130 | stream->dnstls_events = 0; | |
131 | ||
132 | r = dnstls_flush_write_buffer(stream); | |
133 | if (r < 0) | |
134 | return r; | |
135 | ||
136 | return -EAGAIN; | |
137 | } else if (r < 0) { | |
138 | error = SSL_get_error(stream->dnstls_data.ssl, r); | |
139 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
140 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
141 | ||
142 | r = dnstls_flush_write_buffer(stream); | |
143 | if (r < 0) | |
144 | return r; | |
145 | ||
146 | return -EAGAIN; | |
147 | } else if (error == SSL_ERROR_SYSCALL) { | |
148 | if (errno > 0) | |
149 | log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); | |
150 | } else { | |
151 | char errbuf[256]; | |
152 | ||
153 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
154 | log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); | |
155 | } | |
156 | } | |
157 | ||
158 | stream->dnstls_events = 0; | |
159 | stream->dnstls_data.shutdown = false; | |
160 | ||
161 | r = dnstls_flush_write_buffer(stream); | |
162 | if (r < 0) | |
163 | return r; | |
164 | ||
165 | dns_stream_unref(stream); | |
166 | return DNSTLS_STREAM_CLOSED; | |
167 | } else if (stream->dnstls_data.handshake <= 0) { | |
168 | ERR_clear_error(); | |
169 | stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl); | |
170 | if (stream->dnstls_data.handshake <= 0) { | |
171 | error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake); | |
172 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
173 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
174 | r = dnstls_flush_write_buffer(stream); | |
175 | if (r < 0) | |
176 | return r; | |
177 | ||
178 | return -EAGAIN; | |
179 | } else { | |
180 | char errbuf[256]; | |
181 | ||
182 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
183 | return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), | |
184 | "Failed to invoke SSL_do_handshake: %s", | |
185 | errbuf); | |
186 | } | |
187 | } | |
188 | ||
189 | stream->dnstls_events = 0; | |
190 | r = dnstls_flush_write_buffer(stream); | |
191 | if (r < 0) | |
192 | return r; | |
193 | } | |
194 | ||
195 | return 0; | |
196 | } | |
197 | ||
198 | int dnstls_stream_shutdown(DnsStream *stream, int error) { | |
199 | int ssl_error, r; | |
200 | SSL_SESSION *s; | |
201 | ||
202 | assert(stream); | |
203 | assert(stream->encrypted); | |
204 | assert(stream->dnstls_data.ssl); | |
205 | ||
206 | if (stream->server) { | |
207 | s = SSL_get1_session(stream->dnstls_data.ssl); | |
208 | if (s) { | |
209 | if (stream->server->dnstls_data.session) | |
210 | SSL_SESSION_free(stream->server->dnstls_data.session); | |
211 | ||
212 | stream->server->dnstls_data.session = s; | |
213 | } | |
214 | } | |
215 | ||
216 | if (error == ETIMEDOUT) { | |
217 | ERR_clear_error(); | |
218 | r = SSL_shutdown(stream->dnstls_data.ssl); | |
219 | if (r == 0) { | |
220 | if (!stream->dnstls_data.shutdown) { | |
221 | stream->dnstls_data.shutdown = true; | |
222 | dns_stream_ref(stream); | |
223 | } | |
224 | ||
225 | stream->dnstls_events = 0; | |
226 | ||
227 | r = dnstls_flush_write_buffer(stream); | |
228 | if (r < 0) | |
229 | return r; | |
230 | ||
231 | return -EAGAIN; | |
232 | } else if (r < 0) { | |
233 | ssl_error = SSL_get_error(stream->dnstls_data.ssl, r); | |
234 | if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
235 | stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
236 | r = dnstls_flush_write_buffer(stream); | |
237 | if (r < 0 && r != -EAGAIN) | |
238 | return r; | |
239 | ||
240 | if (!stream->dnstls_data.shutdown) { | |
241 | stream->dnstls_data.shutdown = true; | |
242 | dns_stream_ref(stream); | |
243 | } | |
244 | return -EAGAIN; | |
245 | } else if (ssl_error == SSL_ERROR_SYSCALL) { | |
246 | if (errno > 0) | |
247 | log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); | |
248 | } else { | |
249 | char errbuf[256]; | |
250 | ||
251 | ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf)); | |
252 | log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); | |
253 | } | |
254 | } | |
255 | ||
256 | stream->dnstls_events = 0; | |
257 | r = dnstls_flush_write_buffer(stream); | |
258 | if (r < 0) | |
259 | return r; | |
260 | } | |
261 | ||
262 | return 0; | |
263 | } | |
264 | ||
265 | ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) { | |
266 | int error, r; | |
267 | ssize_t ss; | |
268 | ||
269 | assert(stream); | |
270 | assert(stream->encrypted); | |
271 | assert(stream->dnstls_data.ssl); | |
272 | assert(buf); | |
273 | ||
274 | ERR_clear_error(); | |
275 | ss = r = SSL_write(stream->dnstls_data.ssl, buf, count); | |
276 | if (r <= 0) { | |
277 | error = SSL_get_error(stream->dnstls_data.ssl, r); | |
278 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
279 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
280 | ss = -EAGAIN; | |
281 | } else if (error == SSL_ERROR_ZERO_RETURN) { | |
282 | stream->dnstls_events = 0; | |
283 | ss = 0; | |
284 | } else { | |
285 | char errbuf[256]; | |
286 | ||
287 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
288 | log_debug("Failed to invoke SSL_write: %s", errbuf); | |
289 | stream->dnstls_events = 0; | |
290 | ss = -EPIPE; | |
291 | } | |
292 | } else | |
293 | stream->dnstls_events = 0; | |
294 | ||
295 | r = dnstls_flush_write_buffer(stream); | |
296 | if (r < 0) | |
297 | return r; | |
298 | ||
299 | return ss; | |
300 | } | |
301 | ||
302 | ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { | |
303 | int error, r; | |
304 | ssize_t ss; | |
305 | ||
306 | assert(stream); | |
307 | assert(stream->encrypted); | |
308 | assert(stream->dnstls_data.ssl); | |
309 | assert(buf); | |
310 | ||
311 | ERR_clear_error(); | |
312 | ss = r = SSL_read(stream->dnstls_data.ssl, buf, count); | |
313 | if (r <= 0) { | |
314 | error = SSL_get_error(stream->dnstls_data.ssl, r); | |
315 | if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { | |
316 | stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT; | |
317 | ss = -EAGAIN; | |
318 | } else if (error == SSL_ERROR_ZERO_RETURN) { | |
319 | stream->dnstls_events = 0; | |
320 | ss = 0; | |
321 | } else { | |
322 | char errbuf[256]; | |
323 | ||
324 | ERR_error_string_n(error, errbuf, sizeof(errbuf)); | |
325 | log_debug("Failed to invoke SSL_read: %s", errbuf); | |
326 | stream->dnstls_events = 0; | |
327 | ss = -EPIPE; | |
328 | } | |
329 | } else | |
330 | stream->dnstls_events = 0; | |
331 | ||
332 | /* flush write buffer in cache of renegotiation */ | |
333 | r = dnstls_flush_write_buffer(stream); | |
334 | if (r < 0) | |
335 | return r; | |
336 | ||
337 | return ss; | |
338 | } | |
339 | ||
340 | void dnstls_server_free(DnsServer *server) { | |
341 | assert(server); | |
342 | ||
343 | if (server->dnstls_data.session) | |
344 | SSL_SESSION_free(server->dnstls_data.session); | |
345 | } | |
346 | ||
347 | int dnstls_manager_init(Manager *manager) { | |
348 | int r; | |
349 | assert(manager); | |
350 | ||
351 | ERR_load_crypto_strings(); | |
352 | SSL_load_error_strings(); | |
353 | manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); | |
354 | ||
355 | if (!manager->dnstls_data.ctx) | |
356 | return -ENOMEM; | |
357 | ||
358 | SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); | |
359 | SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); | |
360 | ||
361 | return 0; | |
362 | } | |
363 | ||
364 | void dnstls_manager_free(Manager *manager) { | |
365 | assert(manager); | |
366 | ||
367 | if (manager->dnstls_data.ctx) | |
368 | SSL_CTX_free(manager->dnstls_data.ctx); | |
369 | } |