]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dnstls-gnutls.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
units: add Before=shutdown.target to systemd-networkd-persistent-storage.service
[thirdparty/systemd.git] / src / resolve / resolved-dnstls-gnutls.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS
4 #error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
5 #endif
6
7 #include <gnutls/socket.h>
8
9 #include "iovec-util.h"
10 #include "resolved-dns-stream.h"
11 #include "resolved-dnstls.h"
12 #include "resolved-manager.h"
13
14 #define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
15 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gnutls_session_t, gnutls_deinit, NULL);
16
17 static ssize_t dnstls_stream_vec_push(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
18 int r;
19
20 assert(p);
21
22 r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
23 if (r < 0) {
24 errno = -r;
25 return -1;
26 }
27
28 return r;
29 }
30
31 int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
32 _cleanup_(gnutls_deinitp) gnutls_session_t gs = NULL;
33 int r;
34
35 assert(stream);
36 assert(server);
37
38 r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
39 if (r < 0)
40 return r;
41
42 /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
43 r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL);
44 if (r < 0)
45 return r;
46
47 r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
48 if (r < 0)
49 return r;
50
51 if (server->dnstls_data.session_data.size > 0) {
52 gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);
53
54 // Clear old session ticket
55 gnutls_free(server->dnstls_data.session_data.data);
56 server->dnstls_data.session_data.data = NULL;
57 server->dnstls_data.session_data.size = 0;
58 }
59
60 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
61 if (server->server_name)
62 gnutls_session_set_verify_cert(gs, server->server_name, 0);
63 else {
64 stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
65 if (server->family == AF_INET) {
66 stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
67 stream->dnstls_data.validation.size = 4;
68 } else {
69 stream->dnstls_data.validation.data = server->address.in6.s6_addr;
70 stream->dnstls_data.validation.size = 16;
71 }
72 gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
73 }
74 }
75
76 if (server->server_name) {
77 r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name));
78 if (r < 0)
79 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r));
80 }
81
82 gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
83
84 gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
85 gnutls_transport_set_vec_push_function(gs, &dnstls_stream_vec_push);
86
87 stream->encrypted = true;
88 stream->dnstls_data.handshake = gnutls_handshake(gs);
89 if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
90 return -ECONNREFUSED;
91
92 stream->dnstls_data.session = TAKE_PTR(gs);
93
94 return 0;
95 }
96
97 void dnstls_stream_free(DnsStream *stream) {
98 assert(stream);
99 assert(stream->encrypted);
100
101 if (stream->dnstls_data.session)
102 gnutls_deinit(stream->dnstls_data.session);
103 }
104
105 int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
106 int r;
107
108 assert(stream);
109 assert(stream->encrypted);
110 assert(stream->dnstls_data.session);
111
112 if (stream->dnstls_data.shutdown) {
113 r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
114 if (r == GNUTLS_E_AGAIN) {
115 stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
116 return -EAGAIN;
117 } else if (r < 0)
118 log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
119
120 stream->dnstls_events = 0;
121 stream->dnstls_data.shutdown = false;
122 dns_stream_unref(stream);
123 return DNSTLS_STREAM_CLOSED;
124 } else if (stream->dnstls_data.handshake < 0) {
125 stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
126 if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) {
127 stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
128 return -EAGAIN;
129 } else if (stream->dnstls_data.handshake < 0) {
130 log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
131 if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
132 return -ECONNREFUSED;
133 }
134
135 stream->dnstls_events = 0;
136 }
137
138 return 0;
139 }
140
141 int dnstls_stream_shutdown(DnsStream *stream, int error) {
142 int r;
143
144 assert(stream);
145 assert(stream->encrypted);
146 assert(stream->dnstls_data.session);
147
148 /* Store TLS Ticket for faster successive TLS handshakes */
149 if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
150 gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);
151
152 if (IN_SET(error, ETIMEDOUT, 0)) {
153 r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
154 if (r == GNUTLS_E_AGAIN) {
155 if (!stream->dnstls_data.shutdown) {
156 stream->dnstls_data.shutdown = true;
157 dns_stream_ref(stream);
158 return -EAGAIN;
159 }
160 } else if (r < 0)
161 log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
162 }
163
164 return 0;
165 }
166
167 ssize_t dnstls_stream_writev(DnsStream *stream, const struct iovec *iov, size_t iovcnt) {
168 ssize_t ss;
169
170 assert(stream);
171 assert(stream->encrypted);
172 assert(stream->dnstls_data.session);
173 assert(iov);
174 assert(iovec_total_size(iov, iovcnt) > 0);
175
176 gnutls_record_cork(stream->dnstls_data.session);
177
178 for (size_t i = 0; i < iovcnt; i++) {
179 ss = gnutls_record_send(
180 stream->dnstls_data.session,
181 iov[i].iov_base, iov[i].iov_len);
182 if (ss < 0)
183 break;
184 }
185
186 ss = gnutls_record_uncork(stream->dnstls_data.session, 0);
187 if (ss < 0)
188 switch (ss) {
189 case GNUTLS_E_INTERRUPTED:
190 return -EINTR;
191 case GNUTLS_E_AGAIN:
192 return -EAGAIN;
193 default:
194 return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
195 "Failed to invoke gnutls_record_send: %s",
196 gnutls_strerror(ss));
197 }
198
199 return ss;
200 }
201
202 ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
203 ssize_t ss;
204
205 assert(stream);
206 assert(stream->encrypted);
207 assert(stream->dnstls_data.session);
208 assert(buf);
209
210 ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
211 if (ss < 0)
212 switch (ss) {
213 case GNUTLS_E_INTERRUPTED:
214 return -EINTR;
215 case GNUTLS_E_AGAIN:
216 return -EAGAIN;
217 default:
218 return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
219 "Failed to invoke gnutls_record_recv: %s",
220 gnutls_strerror(ss));
221 }
222
223 return ss;
224 }
225
226 void dnstls_server_free(DnsServer *server) {
227 assert(server);
228
229 if (server->dnstls_data.session_data.data)
230 gnutls_free(server->dnstls_data.session_data.data);
231 }
232
233 int dnstls_manager_init(Manager *manager) {
234 int r;
235 assert(manager);
236
237 r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
238 if (r < 0)
239 return -ENOMEM;
240
241 r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
242 if (r < 0)
243 log_warning("Failed to load system trust store: %s", gnutls_strerror(r));
244
245 return 0;
246 }
247
248 void dnstls_manager_free(Manager *manager) {
249 assert(manager);
250
251 if (manager->dnstls_data.cert_cred)
252 gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
253 }
Unnamed repository; edit this file 'description' to name the repository.