1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
4 #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
7 #include <openssl/bio.h>
8 #include <openssl/err.h>
11 #include "resolved-dns-stream.h"
12 #include "resolved-dnstls.h"
14 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL
*, SSL_free
);
15 DEFINE_TRIVIAL_CLEANUP_FUNC(BIO
*, BIO_free
);
17 static int dnstls_flush_write_buffer(DnsStream
*stream
) {
21 assert(stream
->encrypted
);
23 if (stream
->dnstls_data
.buffer_offset
< stream
->dnstls_data
.write_buffer
->length
) {
24 assert(stream
->dnstls_data
.write_buffer
->data
);
27 iov
[0] = IOVEC_MAKE(stream
->dnstls_data
.write_buffer
->data
+ stream
->dnstls_data
.buffer_offset
,
28 stream
->dnstls_data
.write_buffer
->length
- stream
->dnstls_data
.buffer_offset
);
29 ss
= dns_stream_writev(stream
, iov
, 1, DNS_STREAM_WRITE_TLS_DATA
);
32 stream
->dnstls_events
|= EPOLLOUT
;
36 stream
->dnstls_data
.buffer_offset
+= ss
;
38 if (stream
->dnstls_data
.buffer_offset
< stream
->dnstls_data
.write_buffer
->length
) {
39 stream
->dnstls_events
|= EPOLLOUT
;
42 BIO_reset(SSL_get_wbio(stream
->dnstls_data
.ssl
));
43 stream
->dnstls_data
.buffer_offset
= 0;
51 int dnstls_stream_connect_tls(DnsStream
*stream
, DnsServer
*server
) {
52 _cleanup_(BIO_freep
) BIO
*rb
= NULL
, *wb
= NULL
;
53 _cleanup_(SSL_freep
) SSL
*s
= NULL
;
57 assert(stream
->manager
);
60 rb
= BIO_new_socket(stream
->fd
, 0);
64 wb
= BIO_new(BIO_s_mem());
68 BIO_get_mem_ptr(wb
, &stream
->dnstls_data
.write_buffer
);
69 stream
->dnstls_data
.buffer_offset
= 0;
71 s
= SSL_new(stream
->manager
->dnstls_data
.ctx
);
75 SSL_set_connect_state(s
);
76 SSL_set_session(s
, server
->dnstls_data
.session
);
77 SSL_set_bio(s
, TAKE_PTR(rb
), TAKE_PTR(wb
));
80 stream
->dnstls_data
.handshake
= SSL_do_handshake(s
);
81 if (stream
->dnstls_data
.handshake
<= 0) {
82 error
= SSL_get_error(s
, stream
->dnstls_data
.handshake
);
83 if (!IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
86 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
87 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf
);
92 stream
->encrypted
= true;
93 stream
->dnstls_data
.ssl
= TAKE_PTR(s
);
95 r
= dnstls_flush_write_buffer(stream
);
96 if (r
< 0 && r
!= -EAGAIN
) {
97 SSL_free(TAKE_PTR(stream
->dnstls_data
.ssl
));
104 void dnstls_stream_free(DnsStream
*stream
) {
106 assert(stream
->encrypted
);
108 if (stream
->dnstls_data
.ssl
)
109 SSL_free(stream
->dnstls_data
.ssl
);
112 int dnstls_stream_on_io(DnsStream
*stream
, uint32_t revents
) {
116 assert(stream
->encrypted
);
117 assert(stream
->dnstls_data
.ssl
);
119 /* Flush write buffer when requested by OpenSSL */
120 if ((revents
& EPOLLOUT
) && (stream
->dnstls_events
& EPOLLOUT
)) {
121 r
= dnstls_flush_write_buffer(stream
);
126 if (stream
->dnstls_data
.shutdown
) {
128 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
130 stream
->dnstls_events
= 0;
132 r
= dnstls_flush_write_buffer(stream
);
138 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
139 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
140 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
142 r
= dnstls_flush_write_buffer(stream
);
147 } else if (error
== SSL_ERROR_SYSCALL
) {
149 log_debug_errno(errno
, "Failed to invoke SSL_shutdown, ignoring: %m");
153 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
154 log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf
);
158 stream
->dnstls_events
= 0;
159 stream
->dnstls_data
.shutdown
= false;
161 r
= dnstls_flush_write_buffer(stream
);
165 dns_stream_unref(stream
);
166 return DNSTLS_STREAM_CLOSED
;
167 } else if (stream
->dnstls_data
.handshake
<= 0) {
169 stream
->dnstls_data
.handshake
= SSL_do_handshake(stream
->dnstls_data
.ssl
);
170 if (stream
->dnstls_data
.handshake
<= 0) {
171 error
= SSL_get_error(stream
->dnstls_data
.ssl
, stream
->dnstls_data
.handshake
);
172 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
173 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
174 r
= dnstls_flush_write_buffer(stream
);
182 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
183 return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED
),
184 "Failed to invoke SSL_do_handshake: %s",
189 stream
->dnstls_events
= 0;
190 r
= dnstls_flush_write_buffer(stream
);
198 int dnstls_stream_shutdown(DnsStream
*stream
, int error
) {
203 assert(stream
->encrypted
);
204 assert(stream
->dnstls_data
.ssl
);
206 if (stream
->server
) {
207 s
= SSL_get1_session(stream
->dnstls_data
.ssl
);
209 if (stream
->server
->dnstls_data
.session
)
210 SSL_SESSION_free(stream
->server
->dnstls_data
.session
);
212 stream
->server
->dnstls_data
.session
= s
;
216 if (error
== ETIMEDOUT
) {
218 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
220 if (!stream
->dnstls_data
.shutdown
) {
221 stream
->dnstls_data
.shutdown
= true;
222 dns_stream_ref(stream
);
225 stream
->dnstls_events
= 0;
227 r
= dnstls_flush_write_buffer(stream
);
233 ssl_error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
234 if (IN_SET(ssl_error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
235 stream
->dnstls_events
= ssl_error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
236 r
= dnstls_flush_write_buffer(stream
);
237 if (r
< 0 && r
!= -EAGAIN
)
240 if (!stream
->dnstls_data
.shutdown
) {
241 stream
->dnstls_data
.shutdown
= true;
242 dns_stream_ref(stream
);
245 } else if (ssl_error
== SSL_ERROR_SYSCALL
) {
247 log_debug_errno(errno
, "Failed to invoke SSL_shutdown, ignoring: %m");
251 ERR_error_string_n(ssl_error
, errbuf
, sizeof(errbuf
));
252 log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf
);
256 stream
->dnstls_events
= 0;
257 r
= dnstls_flush_write_buffer(stream
);
265 ssize_t
dnstls_stream_write(DnsStream
*stream
, const char *buf
, size_t count
) {
270 assert(stream
->encrypted
);
271 assert(stream
->dnstls_data
.ssl
);
275 ss
= r
= SSL_write(stream
->dnstls_data
.ssl
, buf
, count
);
277 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
278 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
279 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
281 } else if (error
== SSL_ERROR_ZERO_RETURN
) {
282 stream
->dnstls_events
= 0;
287 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
288 log_debug("Failed to invoke SSL_write: %s", errbuf
);
289 stream
->dnstls_events
= 0;
293 stream
->dnstls_events
= 0;
295 r
= dnstls_flush_write_buffer(stream
);
302 ssize_t
dnstls_stream_read(DnsStream
*stream
, void *buf
, size_t count
) {
307 assert(stream
->encrypted
);
308 assert(stream
->dnstls_data
.ssl
);
312 ss
= r
= SSL_read(stream
->dnstls_data
.ssl
, buf
, count
);
314 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
315 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
316 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
318 } else if (error
== SSL_ERROR_ZERO_RETURN
) {
319 stream
->dnstls_events
= 0;
324 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
325 log_debug("Failed to invoke SSL_read: %s", errbuf
);
326 stream
->dnstls_events
= 0;
330 stream
->dnstls_events
= 0;
332 /* flush write buffer in cache of renegotiation */
333 r
= dnstls_flush_write_buffer(stream
);
340 void dnstls_server_free(DnsServer
*server
) {
343 if (server
->dnstls_data
.session
)
344 SSL_SESSION_free(server
->dnstls_data
.session
);
347 void dnstls_manager_init(Manager
*manager
) {
351 ERR_load_crypto_strings();
352 SSL_load_error_strings();
353 manager
->dnstls_data
.ctx
= SSL_CTX_new(TLS_client_method());
354 if (manager
->dnstls_data
.ctx
) {
355 SSL_CTX_set_min_proto_version(manager
->dnstls_data
.ctx
, TLS1_2_VERSION
);
356 SSL_CTX_set_options(manager
->dnstls_data
.ctx
, SSL_OP_NO_COMPRESSION
);
360 void dnstls_manager_free(Manager
*manager
) {
363 if (manager
->dnstls_data
.ctx
)
364 SSL_CTX_free(manager
->dnstls_data
.ctx
);